Making Use of Vault: Ansible

As we come towards the end of this mini series, we talked about how to bootstrap a hashicorp vault for non-prod use, what primitives vault uses for secrets management, and how to talk to vault from python. Here we will dig into how you can access vault content within an Ansible workflow, ensuring you never more have the pain of managing secrets with ansible-vault, or worse, storing them plain text in a repo somewhere.

Making Use of Vault: Python

It’s remarkably easy to get sucked into hardcoding things that probably should live outside your code. It is clear to many of us that storing secrets anywhere that isn’t vault (or something like it), is a terrible practice. It is also true that the best laid plans of mice and men aft gan aglais. In other words, the problem is rarely that we don’t want to do secure coding, its that we lack the time, talent, or awareness to do this right.

Hashi Vault Primitives

Some Vault Primitives Pretty much everywhere you go in vault you will find you need a few building blocks to make anything work. Env Vars Regardless of how you choose to talk to vault (CLI/WebAPI/SDK), you will find that the most common way to “encode” the vault settings is in an Environment variable. This is a nod towards its “cloud native” upbringing, where config files are the devil or something.

Bootstrapping Hashi Vault

Recently I have spent a reasonable amount of time in Hashicorp vault. As part of a mini series on how to make better use of it in Network Automation, I started writing this as a “intro” to a post on the subject. As per usual with me, it ended up being so long that it had to be its own post. So. Here you are. Some of you might have opinions about Hashicorp and their licence changes.

My Updated Fiber7-X VyOS 1.5 Config

A while ago I wrote about my VyOS config for Init7’s Fiber7-X product. Since then there has been a number of breaking changes, and a few additions that I would like to cover. I will copy/paste a lot of the narrative from that post, and avoid a bit of the abstract conversation that went with it, so that this stands on its own. If you have questions or comments, hit me up.

Untangling My Brain From Autocon1

Last week I had some fun in Amsterdam, and at no point was there any debauchery. For those who are unaware, Autocon is a conference put together by the Network Automation Forum. Autocon1 was the second event ever, and the first in Europe. They ran autocon0 in Denver in the Autumn of 2023. TL:DR - if you are in the network automation space, you have to try and get yourself there.

Using VPP as a MACSEC Replacement

As part of my VPP Adventures series, we have talked about what VPP is, why its interesting, and how we can prove it works. Today we spend a bit of time on what we can actually do with it. Who actually uses MACSEC these days? My first interest for a real world test of VPP was straight BGP routing for DFZ connected services. Kinda obvious no? For long and complicated reasons, it actually wasn’t (more specifically it couldn’t - we use IS-IS as part of our edge routing environment and VPP has issues there).

VPP Adventures Part 3 - The Testbed

So far we have covered what VPP is, and why its interesting to us. Part of the story with any new service/implementation always centres around testing. How do you prove, definitively, that something does what it says on the tin. RFC2544 outlines a series of testing strategies and for the purpose of this work we try to keep it simple. I have deployed a TRex traffic generator on Debian 11 (OFED 5.

VPP Adventures Part 2 - but why?

In the previous post we were talking about what VPP was. Here we explore a little why it matters. What’s the point anyways? It’s a fair question. Surely its not logical to invest so much time and effort into something that has been described numerous times as “janky”. One of my engineers even now says, “I understand why you want to do it, but I don’t agree that this is the right solution”.

VPP Adventures Part 1 - uwotm8?

Linux Routing is becoming a thing with me. I cant decide if the motivation is the extreme cost of dedicated hardware, or the knowledge that with a little effort you can make a free/cheap thing into a giant killer. David and Goliath is a fun story I guess. VPP has been on my radar now for a few years. I have tried and failed a few times to get it into production typically on the internet edge of a datacentre in place of something expensive like a Cisco ASR or a Juniper MX.