Welcome to episode 265 of the Cloud Pod Podcast - where the forecast is always cloudy! Justin and Matthew are with you this week, and even though it’s a light news week, you’re definitely going to want to stick around. We’re looking forward to FinOps, talking about updates to Consul, WIF coming to Vault 1.17, and giving an intro to Databricks LakeFlow. Because we needed another lake product. Be sure to stick around for this week’s Cloud Journey series too.
Titles we almost went with this week:
• The CloudPod lets the DataLake flow
• Amazon attempts an international incident in Taiwan
• What’s your Vector Mysql?
A big thanks to this week’s sponsor:
We’re sponsorless! Want to reach a dedicated audience of cloud engineers? Send us an email, or hit us up on our Slack Channel and let’s chat!
General News
01:40 Consul 1.19 improves Kubernetes workflows, snapshot support, and Nomad integration (www.hashicorp.com/blog/consul...)
• Consul 1.19 is now generally available, improving the user experience, providing flexibility and enhancing integration points.
• Consul 1.19 introduces a new registration custom resource definition (CRD) that simplifies the process of registering external services into the mesh.
• Consul service mesh already supports routing to services outside of the mesh through terminating gateways (developer.hashicorp.com/consu...) . However, there are advantages to using the new Registration CRD.
• Consul snapshots can now be stored in multiple destinations, previously, you could only snapshot to a local path or to a remote object store destination but not both.
• Now you can take a snapshot of NFS Mounts, San attached Storage, or Object storage.
• Consul API gateways can now be deployed on Nomad (developer.hashicorp.com/nomad...) , combined with transparent proxy and enterprise features like admin partitions
01:37 Matthew- “What I was surprised about, which I did not know, was that console API gateway can now be deployed on Nomad. Was it not able to be deployed before? Just feels weird… you know, consoles should be able to be deployed on nomad compared to that. You know, it’s all the same company, but sometimes team A doesn’t always talk to team B.”
03:21 Vault 1.17 brings WIF, EST support for PKI, and more (www.hashicorp.com/blog/vault-...)
• Vault 1.17 (developer.hashicorp.com/vault...) is now generally available with new secure workflows, better performance and improved secrets management scalability.
• Key new features:
• Workload Identify Federation (WIF) (www.sans.org/webcasts/destroy...) allows you to eliminate concerns around providing security credentials to vault plugins.
• Using the new support for WIF< a trust relationship can be established between an external system and vault’s identity token provider to access the external system.
• This enables secretless configuration for plugins that integrate with external systems such as AWS, Azure and GCP.
• Two new major additions to PKI certificate management
• Support for IOT/EST based devices
• Custom certificate metadata
• Vault Enterprise Seal High Availability, previously you relied on a single key management system to store the vault seal key securely.
• This could create a challenge if the KMS provider had an issue such as it being deleted, disaster recovery or compromise.
• In such a case the vault couldn’t be unsealed, now, with the new HA feature, you can configure independent seals secured with multiple KMS providers.
• Extended namespace and mount limits
• Vault Secrets Operator (VSO) instant updates.
05:00 Justin - “As I was reading through it, I was like, yeah, if someone gets access to your account and can delete your KMS keys, then they could seal your vault and then you’re totally hosed. Yeah, it was definitely something I had not really considered at all. Even the console feature where they talked about the ability to do the backup to multiple systems.”
...
27 июн 2024
