Vault Audit Logging

I thought i was done with this series, but there are a few loose ends that I think we can clear up pretty quickly. The most important of which is Audit Logging, because what is the point of a secure secrets tool if you don’t track who does what (or most importantly, fails to do what) with it. Lets jump in! Enabling audit logs Enabling audit logging requires you to tell the vault server that it should use one of the audit “device types” that it offers with the required parameters.
Read more →

Vault TLS With Network Appliances

Abstract Now that we have a Vault, with a TLS Issuing CA, and some idea of how to get certs out of it, lets look at how we can use this in a “real” world scenario to put a valid TLS profile onto a Network Appliance (fancy word for a switch I guess). Why did I say appliance, and not Router or Switch? Weeeeeell, think about it. You manage a lot of network stuff over HTTPS protocols these days, even when its not actually a web interface you are using to do it.
Read more →

Using Vault PKI to Secure Devices

abstract Following on from the Hashicorp Vault “how-to” series. Lets dial things up a notch, and setup a PKI in vault that can issue “real” certificates for your devices. This has a couple of real tangible benefits. No more verify=false and/or urllib hacks to connect to TLS secured endpoints No need to fight openssl to wrangle self signed (or for the really brave, a manual CA) Full automation support to enable estate wide renewal in minutes, not half a lifetime.
Read more →

Making Use of Vault: Ansible

As we come towards the end of this mini series, we talked about how to bootstrap a hashicorp vault for non-prod use, what primitives vault uses for secrets management, and how to talk to vault from python. Here we will dig into how you can access vault content within an Ansible workflow, ensuring you never more have the pain of managing secrets with ansible-vault, or worse, storing them plain text in a repo somewhere.
Read more →

Making Use of Vault: Python

It’s remarkably easy to get sucked into hardcoding things that probably should live outside your code. It is clear to many of us that storing secrets anywhere that isn’t vault (or something like it), is a terrible practice. It is also true that the best laid plans of mice and men aft gan aglais. In other words, the problem is rarely that we don’t want to do secure coding, its that we lack the time, talent, or awareness to do this right.
Read more →

Hashi Vault Primitives

Some Vault Primitives Pretty much everywhere you go in vault you will find you need a few building blocks to make anything work. Env Vars Regardless of how you choose to talk to vault (CLI/WebAPI/SDK), you will find that the most common way to “encode” the vault settings is in an Environment variable. This is a nod towards its “cloud native” upbringing, where config files are the devil or something.
Read more →

Bootstrapping Hashi Vault

Recently I have spent a reasonable amount of time in Hashicorp vault. As part of a mini series on how to make better use of it in Network Automation, I started writing this as a “intro” to a post on the subject. As per usual with me, it ended up being so long that it had to be its own post. So. Here you are. Some of you might have opinions about Hashicorp and their licence changes.
Read more →

My Updated Fiber7-X VyOS 1.5 Config

A while ago I wrote about my VyOS config for Init7’s Fiber7-X product. Since then there has been a number of breaking changes, and a few additions that I would like to cover. I will copy/paste a lot of the narrative from that post, and avoid a bit of the abstract conversation that went with it, so that this stands on its own. If you have questions or comments, hit me up.
Read more →

Untangling My Brain From Autocon1

Last week I had some fun in Amsterdam, and at no point was there any debauchery. For those who are unaware, Autocon is a conference put together by the Network Automation Forum. Autocon1 was the second event ever, and the first in Europe. They ran autocon0 in Denver in the Autumn of 2023. TL:DR - if you are in the network automation space, you have to try and get yourself there.
Read more →

Using VPP as a MACSEC Replacement

As part of my VPP Adventures series, we have talked about what VPP is, why its interesting, and how we can prove it works. Today we spend a bit of time on what we can actually do with it. Who actually uses MACSEC these days? My first interest for a real world test of VPP was straight BGP routing for DFZ connected services. Kinda obvious no? For long and complicated reasons, it actually wasn’t (more specifically it couldn’t - we use IS-IS as part of our edge routing environment and VPP has issues there).
Read more →