Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Correct, but it doesn't automate creation of new clusters (for dev, qa, stage, etc). You'd still need github.com/sethvargo/vault-init or similar to automate initialization, but unsealing can be automated in OSS now.


You can use terraform to deploy Vault clusters. There's also a Helm chart available for deploying Vault onto Kubernetes.


It is still infrastructure that you run, this is a real cost for lots of people. If you're running other people's terraform or whatever it's also a black box of software YOU are on the hook for but that you don't know anything about until you have to (3-5 hours after the service has been down).


But nobody's saying to run "other people's terraform or whatever," or that you should be running a sensitive service that you "don't know anything about until you have to." Common sense doesn't go out the window just because we're talking about hosting Vault within your infrastructure.


You would think, but that's exactly what tons of people do. Many people who do not include the cost of running a service in the cost. It's very easy when the install is nice and easy to just say "sweet it's running" and pat hands "it's done". Then you realize you have no idea what's going on when it's totes on fire. At least with hashi products they're open source so you have a chance. And there's enterprise support, but you're still bleeding till you can get them in to help you out and understand what insanity you did with their product.

This is why saas is preferable in a lot of situations. If you're not great at ops and make bad decisions, hopefully the SAAS folks are better at this than you. If you're really good at ops and think a ton about this stuff, then running it yourself makes sense a lot of time. And yes with SAAS now you have lockin and other problems which has their own set of solutions you should make sure you are doing, like layers of abstraction.

Then you get into the self-fulfilling-infrastructure scenario. We're a vault shop, everyone use vault even for stuff that makes no sense to use vault for. Then rinse and repeat.

Or you get into the sunk cost fallacy with your ops team... "what will they do if we replace this with a SAAS", so you keep services around just to not fire people, not because they're the best solution anymore.

Lots of places to make bad decisions.


Again, I am not recommending that people run a service that they don't know how to operate.


You aren't, you're espousing a sane policy of actually understanding what you're doing; I agree with you.

I'm pointing out the whole "just run my pod" thing with tfn, or kube, leads people to thinking they're installing a phone app, not a multi-host, multi-protocol piece of software.

We're in violent agreement. We're just disagreeing about what the average person assumes.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: