Short heads up: Vault's new 2.0.1 release doesn't work with their current Helm chart (as of v0.32.0) out of the box, due to the new CAP_IPC_LOCK required starting from that version.
Workaround is to add this to the values.yaml:
server.statefulSet:
securityContext:
container:
allowPrivilegeEscalation: false
capabilities:
add:
- IPC_LOCK
Envmap - Fini les fichiers .env qui traînent et finissent sur GitHub
https://fed.brid.gy/r/https://korben.info/envmap-secrets-sans-fichier-env-disque-github-leaks.html
Static Kubernetes ServiceAccount tokens are a long-standing security risk.
This post walks through authenticating workloads to HashiCorp Vault using JWT/OIDC, exchanging pod identity for short-lived, least-privilege Vault tokens via a Kubernetes-aware STS—without relying on static credentials.
#Kubernetes #HashiCorpVault #OIDC #WorkloadIdentity #ZeroTrust
https://www.tremolo.io/post/short-lived-tokens-with-vault-without-the-static-serviceaccount
Learn how to securely authenticate Kubernetes workloads with HashiCorp Vault using short-lived tokens instead of static ServiceAccount credentials. This post explains why long-lived ServiceAccount tokens are a security risk and shows how to use JWT/OIDC-based authentication and a Kubernetes-aware STS to issue ephemeral Vault tokens, improving workload identity, least-privilege access, and secret security in Kubernetes..
New blog post: https://blog.mei-home.net/posts/k8s-migration-24-vault/
Migrating my baremetal Vault instance to k8s, including a general introduction to Vault itself and using Terraform to configure it.
Completely unrelated, is anyone interested in a couple of tons of Yak wool?
Did I miss a trend in JSON log formatting? HashiCorp's Vault seems to be of the opinion that all keys in their JSON logs should be prefixed by an "@"? As in:
{"@timestamp": "foobar", "@message": "baz"}
Very weird.
Here's my latest article on Medium titled "Why You Need To Bake Security Into Your CI/CD Pipelines".
I hope you find it interesting! :)
#blackduck
#cicd
#cyberark
#dast
#devops
#devsecops
#github
#hashicorp #hashicorpvault
#iac
#mendio
#sast
#sca
#terraform
#vault
#vcs
In the beginning, there was Hashicorp. In the early days of DevOps, Hashicorp wrote the tools everyone used to get work done. Vagrant let you have a local, tight loop of building local envs to run tests on. Packer let you build images as code to deploy to VMware, Docker, Hyper-V, and many more. Terraform was Infra-As-Code for all major cloud providers. Then along came services to deploy onto. Consul, Vault, Nomad.
The killer with #Strapi is getting a clean state for testing rigs.
For example there's no native rebuild database command (published), rather Strapi will notice there's no tables/db file and create it.
This meant not using the "webServer" config in #Playwright so that I'm not removing the database *after* the server has started.
I'm using #Babashka to manage setup/teardown logic, and there is a #HashicorpVault client available so I can squirrel away JWT tokens and such.
Recently, I have been evaluating Hashicorp’s Vault Server and set it up on several machines in a simple setup. Since the instructions on the Internet are somewhat scattered, I document my approach in the hope that it may help others. Environment I will not be using Kubernetes or Docker Swarm (in both, you can solve it quite nicely with the appropriate placement of containers if you master the storage challenge). The reason we’re using separate Docker instances has historical reasons in the project.
Michael
Le site de Korben [Unofficial]
Tremolo Security 
Martin Todorov
dene
ohmrun
ronix 🏺
Beth Pariseau