HashiCorp’s Introspection About its Open Source Heritage
The past year has involved a lot of introspection for HashiCorp after naming David McJannet as CEO last August. McJannet, a VMware, GitHub and Hortonworks alum more recently served as Executive in Residence at Greylock Partners. In the transition, co-founders Armon Dadgar and Mitchell Hashimoto became co-CTOs.
“It was a fun time for the company in a number of senses,” said Dadgar. “We had a lot of open questions about what is really the commercial mission of the company.
“[It] was, OK, we have these six open source projects that have large and thriving communities, but how does that translate into commercially viable HashiCorp and one that can continue to invest in these tools and grow?”
The company offers Vagrant to manage development environments, Packer to build images, Terraform to provision images, Consul to connect and monitor applications, Nomad to deploy applications, and Vault to secure applications and infrastructure.
However, the San Francisco-based company already sought to focus beyond just creating developer tools to incorporating the workflows that require developers, operations and security teams to work together as part of an application delivery process.
McJannet previously spoke with The New Stack about its work to unify its products to help large organizations make the shift to cloud-based architectures.
It has determined that the “sweet spot” or core mission on the open source side is to solve practitioners’ challenges, Dadgar said. But it also has a Fortune 2000 customer base, customers like Home Depot, Target and Verizon that have a different class of problems. That’s prompted a big shift to enterprise versions.
An example is recently updated Vault, with improvements for both the open source and enterprise versions.
The Vault open source version incorporates secrets management, encryption as a service, and privileged access management. The Enterprise edition also includes collaboration and operations features, governance capabilities, and the ability to scale Vault across multiple data centers.
The 0.7 release earlier this year added support for multi-data center replication, but users wanted every data center to have a local vault in case they lose their primary.
Enterprise 0.8 added disaster recovery replication mode, which allows for the replication of tokens and leased credentials as well as secrets and policies, and prioritizes the ability to quickly return from a down state without having to regenerate tokens for applications/users accessing secrets.
It also includes mount-filtered replication.
“A lot of these multinationals have data-governance laws — what data can actually be replicated where. Our initial implementation was sort of all or nothing. Your whole data set gets replicated to every data center or not at all,” Dadgar said. “Now you have these fine-grained knobs, ‘OK, this data can go to these countries. This data can go to these regions.’ There are regulations like the EU General Data Protection Regulation (GDPR) on the horizon, and most companies are unprepared. That’s been a conversation starter around Vault particularly,” Dadgar said.
And a new multi-factor authentication subsystem allows Duo Push, Okta Push, PingID Push and Time-based One-Time Password (TOTP) methods to be required for any operation on an authenticated path within Vault.
Version 0.8 also adds support for secure plug-ins on the open source side.
“One of our central questions is how do we provide a central service that provides central access to all parts of our infrastructure,” he said.
“Whether it’s a database or Amazon cloud credentials or encryption keys — the goal is centrality of management. Then security teams only have to do policy in one place, they only have to do auditing in one place, they only have to give access in one place.”
To that end, it’s added support for an array of systems — Couchbase, MySQL, Postgres, HANA, Oracle DB, the list goes on.
“What we’ve traditionally done, say it’s an Oracle database, is to say we want that supported in Vault natively and the whole community can benefit from it,” he said. “The challenge is companies that have this particular homegrown system and want to broker access to it through Vault. But this is unique to this company and doesn’t benefit the overall community, and we take on the burden of maintaining it.
“Secure plug-ins gave us a way out of this. We can work with you to develop a plug-in that lets you manage your homegrown system and you can maintain this system that’s unique to you. So it helps us support our core mission of how do we support all these heterogeneous endpoints. We’re tackling that through a combination of partnerships, plug-ins and added integrations.”
Vault 0.8.1 also includes Google Cloud Platform Identity and Access Management (IAM) Authentication Backend and Oracle Database Secret Backend.
The company is furthering its support with Google Cloud and recently announced a multi-year partnership with Microsoft to further integrate its Terraform infrastructure provisioning tool across Azure cloud services.
Adobe will be among the customers talking about their experiences at HashiConf ’17, September 18-20 in Austin, Texas.