Over 15 million users including more than 800 of the Fortune 1000 companies • Written primarily in PHP, Scala, and Go • Running in AWS, with almost 2000 instances What is Hootsuite?
manually encrypted configuration stored in Git • LDAP access for developers • aws-ec2 auth method for instances • “Blessed” by Jenkins • Downside - plain text config Credentials in Vault, render with Consul template
flow for containers • vault token cron for kubernetes nodes • Downside - still need to manually create and store credentials Credentials in Vault, accessed by applications
security team ◦ Not globally trusted due to cost • Cert generation now as easy as running 1 Vault command • Kubernetes - create multiple intermediate CAs per subdomain Certificate Generation
workaround exists • Keeping track of commands ◦ Document them ◦ Create makefiles ◦ Keep environments in sync • Vault is a toolbox What problems did we run into?