►
From YouTube: TGI Kubernetes 057: Vault on Kubernetes
Description
Come hang out with Kris Nova as she does a bit of hands on hacking of Kubernetes and related topics. Some of this will be Kris talking about the things she knows. Some of this will be Kris exploring something new with the audience. Come join the fun, ask questions, comment, and participate in the live chat!
A
Hello
and
welcome
to
TGI
ka
live
at
the
Seattle
office
at
the
hefty
O
Studios
I
am
your
host
today
Chris
Nova,
and
we
are
going
to
be
talking
about
vault
and
we
have
some
exciting
updates
today.
This
is
a
big
day
for
everyone,
as
we
recently
announced
some
exciting
news
and
we'll
talk
a
little
bit
more
about
that
in
a
second.
But
first,
let's
start
off
and
look
at
the
chat
looks
like
you
already
have
a
lot
of
people
hanging
on
chat,
which
is
good.
A
So
let
me
scroll
down
here
and
see
what
we
have
looks
like
Waleed
was
our
winner
this
week
for
the
first
tgia
a
chat
message,
a
decent
good
evening
from
Russia
Suresh
joining
from
Hamburg
Walid,
says
nearly
midnight
here
in
Saudi
nearly
Saturday
morning
good
morning.
All
thank
you
for
joining
in
the
middle
of
the
night.
Hi
from
the
other
side
of
the
world
looks
like
we
have
somebody
from
Berlin,
hefty
o
says:
hi
everyone,
it's
George,
so
George
is
going
to
be
joining
us
today.
He's
helping
me
out.
We
have
somebody
from
Tanzania.
A
We
have
looks
like
maybe
another
person
from
Tut
Sania.
How
did
this
go?
Yeah,
I
think
so
that's
cool
hello
from
Bosnia
George
says
feel
free
to
help
out
with
notes
yeah.
So
we
have
a
hack
indie
that
we
do
every
week
and
that's
a
link
if
you
want
to
contribute
to
the
notes
that
we
will
be
jointly
taking
and
there's
a
lot
of
links
and
goodies
in
there.
A
If
you
want
to
go
check
it
out
and
again,
that's
always
stored
on
the
the
hefty
O
github
page,
which,
let's
just
jump
right
in,
is
github.com
slash,
hefty
o,
slash,
t
GI
k,
so
I
just
actually
tweeted
this
very
same
repo
to
somebody
earlier.
This
is
the
source
of
truth
for
a
TJ
k.
If
you
want
to
come
and
find
an
episode
of
t,
GI
k,
you
can
click
here
on
the
index
and
you
can
go
see
all
56
previous
episodes
and
there
will
be
57
later
on
today.
A
A
Greetings
from
makedonia
saturday,
two
hours,
suniye
10
a.m.
here
in
New
Zealand
I,
would
I
really
really
want
to
go
to
New,
Zealand
I'm
so
jealous
that
like
you're
there
and
that's
a
real
place
that
people
can
actually
go
well,
it
says:
congratulations
on
the
acquisition,
so
we'll
talk
about
that
more
a
little
bit
it's!
So!
If
you
have
any
questions,
let's
do
a
real,
quick
heff.
A
Do
vmware
acquisition
ask
me
anything,
feel
free
to
drop
your
question
in
the
chat
and
I'll
spend
the
first
five
or
so
minutes
answering
the
best
of
my
ability
and
I'll
give
a
little
like
state
of
how
things
are
and
what's
going
on
and
tell
you
folks
everything
that
I
know
and
yada
yada.
So,
let's
see
what
else
other
people
are
saying
hello
from
Serbia.
It
looks
like
we
have
boring
old,
New
York
City
here,
hey
Darren
tim
says:
watch
we
have
Robel
hello
from
London.
A
We
have
AJ
from
Iraq
joy,
joined,
Alex,
Richards,
hello
from
Wales,
hello
from
Sweden
Peter
in
Sweden.
Let's
see
pass
will
drop
Gardner
for
Cates,
oh
I,
think
that's
a
question
hi
from
Copenhagen,
more
from
London
and
somebody
from
Portugal
and
I'm
sure
there's
more
yeah.
We
just
had
somebody
drop
in
greetings
from
Houston,
so
folks
join
you
from
all
over
the
world.
Thank
you
for
joining,
whether
it's
Friday
afternoon
Friday
morning,
Saturday
morning
or
whatever,
if
you're
like
in
New,
Zealand
or
Australia
I,
think
it's
the
future
there.
A
So
thank
you
so
much
for
joining
it's
good
to
see
everyone
and
a
friendly
reminder
that
you
can
always
go
to
the
github
repo
and
watch
the
episodes
afterwards
and
I
personally
like
to
turn
it
up
to
two
times
the
speed.
So
I
can
get
through
about
an
hour
and
45
minutes
of
tea
tik
and
about
whatever
half
of
that
would
be
45
yeah,
45
minutes,
yeah,
no
clothes
but
yeah.
A
It's
noise,
asbestos,
let's
see
düsseldorf,
Germany
and
hello
from
New
Hampshire,
and
then
it
looks
like
we
have
somebody
from
Perth
and
somebody
from
snowy
Boston.
It
is
snowing
in
other
parts
of
America
right
now.
It's
not
snowing
here
in
Seattle.
It's
actually
just
doing
its
normal,
boring
old
rain.
That
always
does
this
time
of
year.
A
Ab
dunder
says
no
krispies
prefer
live
streaming.
Waleed
I
think
is
clarifying
their
question.
That
says
pivotal
paths
and
concourse
among
other
products.
Well,
they
dropped
our
customer
orchestration
and
focus
on
case
I.
Don't
have
any
good,
concrete
information
on
what
is
happening
in
we're
yeah
we're
technically
still
hefty.
Oh,
we
just
know
that.
There's
a
deal
that's
supposed
to
close
and
you
you
can
find
out
more
information
about
all
of
that
in
let's
go
ahead
and
jump
into
it
in
this
wonderful
link.
We
have
here.
A
So
let's
share
my
screen
and
if
you
go
to
our
hack
Andy
one
of
the
first
links
here,
it
says
VMware
update
from
Craig,
so
you
can
actually
come
in
and
let
me
close
some
of
these.
You
can
actually
get
Craig's
perspective.
So
this
is
a
good
thing
to
read
and
it
sort
of
talks
about
why
and
what
life
has
been
like
here
at
hep
do
and
how
we
have
a
lot
of
things
in
common
with
VMware.
A
A
Let's
see
angel
says,
will
the
VM
ware
acquisition
affect
TTI
K?
So,
yes,
no,
the
VMware
acquisition
will
not
affect
TGI
K
in
any
negative
way.
If
anything,
it's
going
to
make
it
better
because
we
might
have
more
resources
to
help
ramp
up
TGI
K
in
some
in
some
way.
I.
Don't
really
know
what
that
would
look
like,
but
no
VMware
loves
TGI
K,
we're
gonna,
keep
doing
it.
You're
not
gonna,
get
rid
of
me
in
Jo
that
easily
it's
just.
A
So,
let's
go
back
to
our
reference
links
here:
okay,
so
this
first
one
here,
I
kind
of
did
like
a
funny
little
studded
joke,
which
is
said,
replace,
have
to
go
with
VMware
and
really
I
should
update
my
son's
syntax.
We
want
to
do
like
a
replace
hefty
Oh
with
like
hefty
oh
plus
VMware,
as
we're
gonna
kind
of
be
working
in
concert
together,
making
things
work.
Well,
so
that's
going
to
be
exciting.
Let's
see
what
folks
are
saying
in
the
chat.
A
I've
seen
a
lot
of
movement
and
I
have
like
multiple
screens
or
like
I,
have
to
look
down
to
read
the
chat.
Look
up
to
actually
see
what's
going
on
here,
so
mark
says
+1
on
Craig's
blog,
so
yeah
looks
like
Marc's
already
read
it.
Olaf
says
phew
alex
says
yay
for
Krista
Joe,
thanks,
Alex
angel
says
awesome,
I
wasn't
planning
to
let's
keep
going
and
Waleed
has
more
questions.
It
looks
like
t
ji
k
on
pivotal,
concourse
C
ICD
would
be
interesting.
A
Why
late,
if
you
want
to
let's
pull
it
up
again,
a
hefty
OTG
I
K.
If
you
want
to
open
up
an
issue-
and
this
actually
is
for
everyone-
come
to
the
issue
tracker
and
like
real,
quick,
let's
just
drop
in
all
of
the
VMware
stuff-
that
we
want
to
see
in
the
future
for
TGI
K.
If
you
have
an
idea
and
we
can
create
a
label
for
that-
and
maybe
those
can
be
some
of
the
first
exciting
episodes
after
everything
is
kind
of
like
sealed
and
locked
down.
A
So
if
you
want
to
learn
more
about
one
point,
thirteen
and
see
what's
going
on
the
community
meeting
was
pretty
cool.
We
got
a
demo
on
Palou
me,
I.
Think
I
said
that
right,
which
was
exciting
and
actually
George,
I'm
gonna
pick
on
you.
If
you
could
drop
a
community
meeting
recording
link
here,
if
folks
are
interested
in
seeing
of
what's
going
on
in
the
community,
that
would
be
pretty
pretty
rad
as
well.
Okay.
So
next
we
had
the
VMware
update
from
Craig
and
then
I
wanted
to
share
this.
A
This
was
my
original
picture
of
joining
hep
tio,
which
is
in
the
room
right
next
door,
and
this
was
the
first
company
I've
worked
at
for
over
a
year,
so
like
just
really
excited
to
be
here,
and
it's
been
a
crazy
year
and
not
in
my
life,
just
in
like
the
past,
you
know
four
or
five
years,
I've
made
a
lot
of
changes
in
my
career
and
I
finally
feel
like
I'm
home,
and
it's
exciting
to
to
be
a
part
of
this
whole
thing.
So
that's
my
savvy
emotion
a
little
bit
anyway.
A
There's
some
good
sparkly
pictures
of
me,
Joe
and
Craig.
If
you
want
to
go
check
them
out,
okay,
so
next
up
we
have
docker
box,
so
Seth
ping.
To
me,
okay,
looks
like
George,
put
the
community
meeting
link
in
chat.
If
folks
want
to
see
okay,
so
Seth
pinged
me
and
said:
hey
I:
have
this
new
open
source
tool?
Do
you
want
to
check
it
out
so
I'm
super
swamped?
So
I
was
like?
Oh
hey.
A
A
First
I
love
the
single
sentence
at
the
beginning
of
a
repo
I've
said
that
a
few
times,
but
like
the
software
engineer
and
me,
is
like
it's
a
single
concrete
sentence
that
says
what
this
thing
is
and
nothing
more
and
no
reasons
why
we
created
it
in
just
what
it
is
looks
like
George
says
we
published
them
to
a
playlist
every
week.
So
it's
great
way
to
subscribing
it
updates
and
lets
see.
Ikaros
has
found
you
hello
from
San
Francisco,
okay
cool.
A
So
let's
see
it
says
by
default,
the
docker
box
config
lives
in
home
docker
box
and
you
can
do
a
go:
get
github
khamseh
Seth,
pull
it
back,
relax!
Let's
try
this
and
see
what
happens.
I
set
this
I,
wouldn't
say
a
close
friend,
but
we've
worked
together
an
open
source,
so
I'm
gonna
go
ahead
and
trust
that
Seth
isn't
writing
anything
malicious
here,
let's
go
back
and
it
says
export
path,
so
we're
gonna
put
docker
box
Ben,
we're
gonna!
Add
that
to
the
end
of
our
path.
A
B
A
B
A
B
B
A
To
update
your
applet
cache
run
docker
box
update,
so
there
should
be
a
binary
now.
So,
let's
see
docker
box.
Okay,
this
is
cool.
So
this
is
just
like
another
go
program
that
you
can
use
to
basically
serve
as
like
a
busy
box
for
docker,
which
that's
super
rad,
and
you
can
see
the
full
applet
spec
and
here's
some
usage
docker
box.
You
can
do
help
install
you
can
list
all
of
the
available
applets
and
you
can
uninstall
and
you
can
update
and
it
looks
like
I
was
able
to
get
dr.
A
box
up
and
running
in
about
15
or
20
seconds.
So,
if
folks
are
interested
in
this
project
check
it
out,
seth
is
in
the
kubernetes
slack
and
I
know
he's
looking
for
feedback.
So
if
we
want
to
give
him
some
feedback,
that
would
be
red
cool.
So
next
up
we
have
hep
tio
intro
to
kubernetes
and
containers,
so
here
at
hefty
o,
which
we
still
are
for
at
least
another
couple
of
weeks.
A
Here
we
have
corporate
training
and
I
think
this
is
one
of
our
corporate
training
offerings
that
we
have
so
it
looks
like
it's
like
a
afternoon
with
kubernetes
every
once
in
a
while
I'll
pop
into
one
of
these
things
and
kind
of
do
like
a
surprise,
guest,
a
guest
appearance
and
just
kind
of
hang
out
with
folks
and
get
to
know
how
people
are
using
kubernetes.
But
these
are
really
fun.
A
It's
a
great
way
to
learn
from
kubernetes
experts
here
at
hefty,
oh
and
if
you
or
your
company
is
interested,
you
can
ping
me
or
ping
joe,
and
we
can
connect
you
with
folks
on
our
end
and
you
can
learn
more
and
you
can
buy
tickets
here.
It
looks
like
joe
says:
I
got
it
dropped
with
George.
Has
he
details
on
the
swag
giveaway
Oh
from
our
internal
slack
slack
so
yeah
I?
Guess
Joe
did
like
a
giveaway
the
other
day
which
sounded
really
exciting.
I.
A
A
Let's
see
AJ
says
you
can
use
CD,
underscore
dollar
side
to
change
directory
to
the
newly
created
directory
and
Bob,
says
hello
from
smokey
Hollywood
and
please
help
the
fire
people,
if
you
can
Bob,
brings
up
a
great
point,
the
what's
going
on
in
California
horrible,
so
many
people
unfortunately
have
died,
and
it's
been
really
really
scary
for
a
lot
of
my
close
friends
down
there
so
yeah.
If
there's
anything,
you
can
do
to
help
it
looks
like
Bob.
Can
you
give
you
some
pointers?
A
A
The
big
one
is,
if
you
actually
look
in
here.
Kelsey
runs
a
stateful
set
for
revolt,
whereas
the
core
OS
operator
runs
a
deployment.
So
there's
some
interesting
paradigms
behind
why
you
would
possibly
want
to
do
a
stateful
set
to
ensure
that
one
pod
is
running
onto
your
nodes
and
it's
a
curious
design
choice
that
the
core
OS
has
done
a
deployment
for
something
as
critical
as
a
secret
story.
So
just
pros
and
cons
and
subtle
differences.
There
David
says
yay
for
operators
and
I'm.
A
A
It's
a
secret
store,
plus
auth
plus
does
some
there's
stuff
as
well
we'll
get
into
the
nitty-gritty
here
in
a
bit
when
we
start
going
through
the
documentation,
but
ultimately
you
interact
with
vault
over
an
API,
which
is
why
we
need
this
load
balancer
here.
So
it's
a
very
simple
client-server
model
and
we
will
be
actually
running
the
server
components
in
kubernetes
kelsey.
Did
it
with
a
stateful
set?
A
The
core
OS
operator
uses
a
deployment,
and
so
yeah
after
you
expose
that
you
can
then
come
down
here
and
actually
turn
on
secrets
and
start
sharing
secrets.
Here's
a
put
and
here's
a
get
and
an
example
of
sharing
some
secret
information.
Erin
says
when
you
have
a
chance
later.
I
would
be
curious
to
hear
your
thoughts
on
vault
on
kubernetes
as
you're,
demonstrating
today
versus
bitNami
labs,
sealed
secrets.
I
have
never
actually
looked
at
bitNami
labs,
sealed
secrets,
so
I
can't
really
speak
super
intelligently
about
it.
A
Just
yet
I'm
assuming
you're
talking
about
this
thing
here,
which,
let's
see
what
this
thing
does
problem
I,
can
manage
all
of
my
Kate's
config
and
get
accept
secrets
solution,
encrypt
your
secret
into
a
sealed
secret,
which
is
safe,
yadda,
yadda,
yadda,
okay,
so
this
just
looks
like
it's
another
secret
store
that
sort
of
solves
the
same
problem
as
vault,
but
in
a
kubernetes
specific
way.
I
am
now
interested
in
this
I'm
going
to
add
a
link
here
to
remind
myself.
A
Maybe
we
can
do
a
TGA
I
can't
on
this
later,
but
unfortunately,
I
won't
be
able
to
speak
super
intelligently
about
it
now
other
than
my
overall
thoughts
which
I
think
anytime.
You
have
diversity
and
tooling
it
pushes
the
tooling
further
and
hardens
the
tooling,
and
also
as
we're
about
to
learn
the
the
kubernetes
story.
Unbolt
isn't
super
fleshed
out.
I
couldn't
even
find
an
example
of
what
we're
going
to
be
doing
today.
A
So
it's
basically
abandoned
where,
at
this
point,
let's
see
a
CD
operator,
let's
see
what
the
repo
has
to
say:
I,
don't
to
misquote
our
friends
at
core
less.
So
this
is
also
in
beta.
So
anyway
just
be
aware
that
I
don't
know
if
this
is
being
actively
maintained
or
not.
It
looks
like
our
commits
here
we're
three
months
ago,
seven
months
ago,
two
years
ago,
four
months
ago,
so
we
haven't
really
seen
anything
in
the
past
three
or
four
months
here
on
this
repo
as
well.
A
So
just
a
little
bit
of
awareness
there
that
you
are
possibly
getting
a
dependency
involved.
That
may
not
have
the
most
updated
code
in
it.
If
you
do
decide
to
use
the
core
LS
operator
here,
okay,
so
here's
Kelsey's
thing,
let's
close,
that
here's
the
vault
operator
do
do
so
we'll
look
at
that
in
a
second
and
we're
actually
gonna
start
and
we're
gonna
go
through
this
readme.
So
if
you
wanted
to
start
looking
at
that,
readme
now
feel
free
to
okay.
A
So
next
up
is
dynamic
secrets
and
I
was
talking
to
Joe
a
little
bit
about
this
today.
This
is
a
this
is
a
blog
by
Arman,
the
CEO
of
hashey
Corp,
and
this
talks
about
why
he
thinks
it's
a
good
idea
to
have
dynamic
secrets
and
basically,
a
dynamic
secret
is
a
secret
that
has
started
at
run.
It's
like
generated
at
runtime
as
you
eat
it.
So
your
program
would
start
you
would
enter
the
main
function.
You
would
say:
I
need
a
secret
and
there'd
be
some
system
in
place.
That
would
give
you
the
secret.
A
You
need
any
more
than
handle
authenticating
that
on
the
backend,
so
your
secret
actually
works
as
well
and
as
soon
as
you're
done
with
that
secret
and
your
program
exits.
That
secret
is
no
longer
used,
which
sounds
very
good
for
anybody.
Who's
ever
concerned
themselves
with
security
and
off
before
that
sounds
like
a
solid
model.
Let's
see
what
folks
are
saying:
Shawn
Smith
says:
hey
from
Seattle,
sorry
I'm
late
Congrats
on
the
acquisition
and
the
great
work
everyone
I
have
do:
Thank
You
Shawn,
let's
see
some
mas
says.
A
Why
are
you
not
speaking
in
queue
cron
China
this
year,
us
honestly,
because
I'm
transgender
and
that
scares
me,
do
you
want
to
know
the
truth?
It's
not
always
easy
for
me
to
travel
around
the
world,
especially
with
some
of
the
legal
issues
in
different
places
and
yeah
I
just
felt
safer
here,
which
is
weird
to
say
because
obviously
well
anyway,
yeah
that's
why
I
didn't
go
to
China?
Okay,
so,
let's
see
kubernetes
our
back.
We're
gonna
be
talking
about
our
back
a
little
bit
today.
A
You're
gonna
have
to
do
have
a
pretty
good
idea
of
what
a
service
account
is.
So
if
you
want
to
go
refresh
on
our
back,
here's
the
page
on
it
I
might
draw
a
picture
and
just
go
over
cluster
roles.
Cluster
role,
by
means
users,
groups
and
service
accounts
in
a
little
bit
once
they're
relevant
to
what
we're
doing
involved.
So
there's
that
as
well
here,
okay,
this
is
a
good
one.
A
This
was
actually
like
one
of
the
rare
gems
and
kubernetes,
so
we're
gonna
get
into
this
later,
but
we
needed
to
find
the
service
account
token
and
when
we
actually
look
at
getting
a
pot
up
and
running
with
the
ball
in
a
moment,
you'll
see
why
this
is
relevant
and
I
actually
could
not
find
documentation
on
kubernetes
IO
for
this.
But
I
did
find
this
like
hidden
piece
of
documentation
here
and
client.
Go
that
reminds
you
that
it's
in
var
run
secrets.
Kubernetes,
io
service
account.
A
So
if
you're
ever
looking
for
this
magic
path
to
get
your
service
account
token
out
of
a
pod,
it's
here
in
the
client
go
home
repository
okay,
so
next
one
is
okay.
This
is
Shamir's
secret,
which
we'll
look
at
that
in
a
second.
But
this
is
the
Wikipedia
article
about
the
actual
math
behind
how
vault
seals
and
unseals
itself
and
when
we
install
vault
we'll
have
to
talk
about
ceiling
and
unsealing.
A
Our
our
vault
and
what
that
means,
and
what
the
implications
are
with
that,
but
if
you're
an
algorithm
nerd
and
you
want
to
go
check
out
how
this
whole
thing
works.
This
is
a
some
pretty
interesting
math
here
about
how
you
can
shard
out
your
different
secrets
to
create
one
more
powerful
master
key
and
that's
called
Shamir
secret
sharing.
A
Okay,
so
first
things:
first,
let's
check
out
my
cluster
and
see
what
we
have
run.
So,
let's
get
out
at
docker
box.
Let's
go
back
to
my
home
directory
and
we
all
know
my
alias
kdump,
which
just
does
it:
q
Bechdel
get
all
all
namespaces,
so
I'm
gonna
run
that
and
we're
gonna
see
what
we
have
running
in
my
cluster
I
just
spun
this
cluster
up
with
cubic
horn.
It
should
be
pretty
bare-bones,
but
I
want
to
make
sure
it'll
leave
anything
in
here,
because
I
did
install
vault
earlier
today.
A
Let's
see
this
all
looks,
good
I,
don't
see
anything
in
here
other
than
like
the
kubernetes
minimum
set
of
things.
You
need
to
get
a
cluster
up
and
running
okay
cool.
So
let's
go
back
here
and
we're
gonna
go
start
running
these
commands
and
going
through
deploy
in
the
@
çd
operator
to
get
started,
and
so
right
here
it
says,
keep
octal
create
F
and
then
you
can
see.
Example
at
CDC,
rdz
ml.
A
If
you
actually
check
out
this
repository,
you'll
notice,
there's
the
example
directory-
and
these
are
the
an
old
bits-
were
actually
going
to
be
running
up
dubbed
or
says.
Have
we
here
who
is
certified
it
for
offensive
security?
I
hope,
explain
more
of
the
algo
of
schmear
I'm,
not
sure
I
quite
understand
your
question.
Maybe
you
could
try
to
reword
it
and
I
can
try
to
answer
it.
A
If
you
want
me
to
go
a
little
bit
deeper,
I
I
can,
whenever
we
get
to
ceiling
and
unsealing
our
our
vault
there,
okay,
so
anyway,
here's
the
yeah
mo
bits
that
we're
gonna
be
checking
out.
So
I
checked
out
that
repository.
So
we
go
to
my
go
path,
which
is
home:
slash,
go
github,
source,
github,
calm,
core
OS,
vault
operator.
There
we
go,
and
so
here
you
can
see
we
actually
have
the
example
directory.
So
these
can
wait.
A
Ceedric
says
what
was
the
tool
called
to
spin
up
a
cluster,
so
ceedric
I
have
a
tool
that
I
also
abandoned,
where
I'll
call
myself
out.
That's
totally
fine
called
Cuba
corn
and
all
it
does
is
it
creates
a
infrastructure
and
then
runs
cube
admin
on
top
of
it
and
just
kind
of
automates
everything.
So
it's
a
really
simple
way
to
get
a
cube
admin
kubernetes
cluster
running
in
Amazon
and
digitalocean
or
hand
others.
A
If
you're
interested
in
using
this,
it's
gonna
involve
running
two
commands
first
to
create,
then
an
apply
and
I
have
a
whole
tgia
episode
on
keep
it
corn
if
you're
interested
in
learning
more
through
there.
Oh
sorry,
excuse
me
have
to
like
sneeze,
really
quick
I,
don't
wanna
like
blow
my
nose
on
camera
hold
on
okay.
A
Ceedric
says
aw
thanks
and
another
folks
are
saying:
keep
it
corn
as
well,
and
then
honestly
I,
really
like
our
cubic
or
Die.
Oh
I,
really
like
our
Docs
page,
like
it's
really
pretty
and
colorful
and
rainbow.
It
makes
me
happy,
but
there's
some
good
information
here
too
of
getting
cubic
corn
and
how
it's
different,
some
of
the
other
things
in
Yatta,
Yatta,
okay,
so
that's
keep
a
corn
and
how
I
set
up
my
cluster
so
back
to
our
vault
up
reader,
okay,
so
cubic
will
create
at
CDC
IDs.
A
A
We
wanted
the
CR
DS
first
so
clear
my
screen
and
cut
out
our
at
CD
series
and
see
what
we
have
so
the
first
one
here
is
a
custom
resource
definition
which
that's
what
CR
D
stands
for,
and
it
defines
this
kind
called
an
etsy
D
cluster,
and
then
we
have
another
CR
D,
another
CR
D,
so
nothing
too
promiscuous.
Here
and
again.
This
is
just
for
the
SVD
operator
stuff,
so
I'm
not
going
to
spend
too
terribly
much
time.
A
Looking
at
that
see
the
operator,
if
you
want
to
go
check
that
out,
we
can
talk
about
that
at
a
later
time.
Okay,
so
the
next
one
is
the
operator
deploy.
So
this
will
be
the
actual
operator
itself
and
again,
we
all
are
familiar
with
the
operator
pattern,
which
is
you
have
a
CR
D,
which
represents
what
and
then
you
have
an
operator
that
reconciles
that
and
brings
it
to
life.
So
this
first
one
was
just
a
description
of
what
we
want,
and
then
this
is
a
an
actual
piece
of
software.
A
That's
gonna
go
and
reconcile
that
in
this
case
we're
declaring
that
we
want
an
etsy
D
data
store
to
be
running
in
kubernetes,
so
we
can
go
ahead
and
run
both
of
these
and
get
at
C
D
up
and
running.
So
we
created
our
CR,
DS
and
I
guess
I'll,
be
a
good
girl
and
cut
out
example.
@
çd
operator
deploy
Oh.
A
Another
nitpick
of
mine,
all
of
the
Etsy
DS,
have
underbars
after
their
name,
except
for
this
first
one
that
has
a
so
kind
of
annoying
for
us
UNIX
users
who
really
enjoy
consistency
anyway.
If
you
cut
this
out,
you
can
see
that
it's
real
simple,
it's
just
a
deployment
and
it
just
runs
a
pod
which
is
yet
CD
operator
version
0.8.1.
A
It's
got
some
loose
information
about
how
to
actually
start
up
the
operator.
So
again,
this
is
just
the
software.
That's
going
to
start
up
a
CD
for
us.
Let's
see,
we
have
hello.
Everyone
I
am
mishra
from
Hoshi
Corp,
first
off.
Thank
you
Chris
for
doing
this.
Also,
we
have
evolved
how
much
charts
coming
soon,
hopefully
making
installing
stuff
easier
awesome
thanks
for
the
update,
I,
think
I'm,
just
gonna
say
a
noob
Huff,
I'm,
sorry,
I'm!
A
Really,
sorry,
if
I
mispronounced,
your
name,
that's
good
to
know,
there's
a
lot
of
thoughts
around
helm,
charts
and
the
dependency
on
helm
and
how
those
compare
to
operators
I
myself
am
a
big
fan
of
having
an
operator.
I
really
think
the
core
OS
operator
is
a
great
example
of
how
to
declare
not
only
one
but
in
number
of
vault
clusters
running
in
kubernetes,
and
you
can
make
a
lot
more
logic
into
the
operator
that
you
would
be
missing
from
just
starting
a
simple
home
shard.
A
Although
I
guess
you
could
use
a
helmet
art
to
launch
an
operator,
but
that
just
seems
a
bit
like
there's
a
lot
of
complexity
going
on
there
anyway
be
sure,
goes
by
my
last
name:
ok
cool.
So
that
makes
it
easier
for
me
to
pronounce
Thank
You
Misha,
ok
cool,
so
we
have
our
a
2d
operator.
So
let's
go
ahead
and
install
that
it's
just
a
deployment,
and
we
looked
at
that
real
briefly.
Ok!
So
now
we
should
have
a
APO
which
of
course
is
an
alias
for
cube.
A
Bechdel
get
pods
for
folks
who
are
just
joining
us.
I
have
a
lot
of
aliases
I,
sometimes
use
and
folks
aren't
aware
of
them.
So
if
you
run
k
get
po
or
cubic
do
get
pods.
You
can
see
that
we
have
an
STD
operator,
oh
and
it
didn't
crash
Luke
back
off.
This
is
good
I'm
not
going
to
pull
the
logs
I'm
going
to
keep
going
through.
A
The
install
I
want
folks
to
see
how
this
works
sort
of
linearly,
but
now
we
want
to
deploy
the
the
vault
operator
and
I
think
the
reason
that
we're
in
crash
we
back
off
and
I
wanted
to
mention
this
linearly
is
cuz.
I
missed
this
first
step
here,
let's
see
crash
container
is
restarting
Syed
says
the
hole
go.
Mod
thing
was
confusing
to
me:
franceska
did
a
great
video
tutorial
breaking
it
down.
If
folks
are
interested
and
Waleed
says,
Red
Hat
has
an
operator
for
helm
in
OpenShift,
not
sure
what
it
is
really.
A
Okay,
so
good
commentary
there
from
our
friends
so
anyway,
this
is
actually
step
one.
This
is
not
step
one.
We
need
to
set
up
our
back
and
that's
why
I'm,
assuming
why
the
Etsy
operator
is
failing
right
now,
so
we're
gonna
create
a
role
in
a
role
binding,
and
this
is
gonna
be
important,
because
this
is
gonna
bind
us
to
our
service
account,
which
is
going
to
be
how
we
do
everything
involve
once
we
have
the
kubernetes
off
up
and
running.
A
So
if
we
look
here,
it's
a
simple
sub
command
and
it's
just
replacing
this
sort
of
bracketed
namespace
in
this
bracketed
service
account
with
default
in
default
and
then
renaming
the
file
from
our
back
template,
to
example,
our
back
dot
Yamma.
So
we
can
actually
copy
and
paste
this
run
that
and
now
we
can
actually
cut
out
example,
our
back
yeah
Mel,
and
we
can
actually
see
down
here
at
the
bottom.
A
We've
actually
injected
a
name
and
namespace,
and
you
can
see
here
we're
actually
binding
to
the
default
service,
account
for
the
default
name
space
and
we're
naming
this
the
vault
operator
role.
These
are
going
to
be
important
values
later
so
just
remember
them
and
you
can
always
come
back
and
see
how
we
got
them.
So
let's
go
ahead
and
create
our
back
rules
in
kubernetes.
So
we
do
that
by
K
apply
minus
F
example.
A
The
file
we
just
created
our
back
dot,
yeah
Mel
and
that's
gonna,
go
and
say:
yes,
we've
created
our
authorization
and
our
role
binding
and
a
friendly
reminder
for
folks.
There's
there's
two
types
of
role:
bindings
and
kubernetes:
there's
a
regular
role
binding,
which
is
what
we
see
here
and
then
we
also
have
a
cluster
role
binding,
which
has
a
broader
scope.
Cluster
role
by
means
will
bind
some
type
of
either.
A
Account
or
a
user
or
a
group
to
the
entire
cluster
instead
of
a
specific
namespace,
so
things
like
nodes
that
don't
really
exist
at
the
namespace
level
are
gonna
be
relevant.
When
you
start
looking
at
cluster
roll
bindings
and
again,
the
binding
is
just
how
you
connect
the
role
to
did
the
group
or
the
user
okay.
So
let's
see
what
David
is
saying,
so
no
problem
always
glad
to
answer
OpenShift
questions:
okay,
Brad!
Thank
you
for
your
help,
David,
okay!
So
now
I
bet.
If
we
do
a
can
get
po.
A
Yes,
our
su
operator
isn't
running
so
remember
to
always
set
up
your
our
back
rules.
First,
so
going
back
to
this,
and
that's
a
bit
like
I
would
rather
see
the
the
are
back
that
little
snippet
that
is
on
this
page.
I
would
rather
see
this
linearly
here,
instead
of
having
to
navigate
away
just
as
I
user.
It
makes
it
easier
for
me.
Okay,
so
we've
created
the
example.
Cr
DS
we've
deployed
our
operator.
So
now
let's
get
started
with
the
vols.
A
So
first
we
create
the
vault
c
rd
which
again
because
we're
creating
a
vault
operator.
We
also
have
to
create
a
vault
c
rd,
so
let's
really
take
a
look
at
this,
so
cat
example
vault,
C
or
D
Jana.
So
it's
a
custom
resource
definition
and
it's
called
a
vault
service
and
it's
vault
services,
it's
plural
and
basically
all
CRD
does
is
just
create
this
new
entity
that
you
can
be
whatever
you
want.
Your
operator
can
read
it
later.
A
A
So
we
can
do
CAD
example,
deployment,
dot,
Y
Amal
and,
let's
actually
I'll
just
check
out
Kelsey's
repo,
Kelsey,
Hightower
vault
and
then,
while
we
can
cat
them
both
out
and
actually
look
at
them
next
to
each
other,
so
yeah
we
want
to
grab
the
URL
and
we'll
clone
that,
and
this
is
another
cool
tool.
If
I
use
this
thing
all
the
time,
if
you
don't
use
it,
it
makes
your
life
way
easier.
I,
just
forked
Kelsey
Hightower's
repo
to
Chris
Nova,
downloaded
it
and
if
I
actually
go
to
my
go
path,
source,
Oh,
calm,.
B
A
A
Nope
I
did
that
wrong
move
sorry,
one
second
source,
github,
calm,
Kelsey,
Hightower,
move
that
to
go
source,
github,
calm,
Kelsey,
Hightower
vault
on
google
kubernetes,
and
then
you
can't
do
that.
So
we'll
just
look
at
it
here.
Go
source,
github,
calm,
Kelsey
have
a
tower.
Okay,
anyway,
doesn't
really
matter
where
to
checked
out.
But
if
you
want
to,
you
can
cut
out
this
vault
die
yeah
mole
file
and
we
can
see
his
stateful
set
here
and
we'll
do
a
side
by
side
open.
Let
me
blow
this
up.
A
Just
go
source,
github,
calm,
core
OS,
vault
operator
cat
example,
deployment
IMO.
So
there's
the
vault
operator
and
here's
his
stateful
set
you.
So
you
can
see
the
complexity
here,
he's
doing
a
lot
of
configuration
and
a
stateful
set
I'm
assuming
a
lot
of
this
is
specific
to
Google
and
then
also
we're
ensuring
that
each
one
of
our
vault
pods
runs
on
a
node
with
Kelsey's
example,
whereas
ours
can
be
despaired
at
across
a
number
of
different
nodes.
A
A
So
these
are
just
things
to
think
about
as
you
and
your
team
are
figuring
out
if
it
actually
makes
sense
for
you
to
run
your
vault
cluster
inside
of
kubernetes
itself.
So
anyway,
that's
my
spiel
on
how
to
set
up
vault,
okay,
so
we're
back
here
to
our
operator.
Let's
make
sure
yeah
we're
still
in
the
root
directory
and
let's
go
in
and
actually
install
this
stuff.
So
let's
create
our
vault
operator,
CRD
BAM
and
let's
go
and
deploy
the
operator
itself
vault
operator.
Very
good
and
then
it
says,
verify
that
the
operators
are
money.
A
So
will
you
do
a
keg?
It
PO
and
we
see.
Yes,
we
have
a
net
CB
operator
and
yes,
we
have
a
vault
operator.
What's
interesting
to
call
out,
is
we
actually
don't
have
bolts
run
e
yet
because
we
have
to
declare
our
first
vault
cluster
for
the
operator
to
reconcile,
looks
like
folks
are
in
chad,
shawn
smith
says:
oh,
my
god.
Clone
looks
great
time
to
look
at
it.
For
myself,
I
sean
smith,
just
a
heads
up
I
wrote
that
tool
like
two
years
ago.
So
it's
like
I
was
a
different
engineer.
A
Then
don't
get
mad
at
me
but
yeah.
It's
it's
an
ancient
tool
anyway,
Misha
says
also
using
auto
unseal
feature
that
was
released
as
part
of
vault
10.0.
It
makes
bootstrapping
the
vault
cluster
easier,
okay,
so
Mishra
I'm
not
sure
where
you're
getting
that
from.
But
anyway
it
looks
like
folks
are
kind
of
having
some
side
banter
and
me
I'd.
The
chat,
if
somebody
has
a
question,
feel
free
to
just
highlight
me
or
type
Chris,
okay,
so
the
vault
operator
is
now
installed
and
let's
deploy
our
first
vault
cluster.
A
A
Yes,
so
now
we
can
do
K
apply,
f
example:
example,
Volta
amel,
and
it
says
yes,
the
vault
service
TJ
t
GI,
K
vault
was
created
so
now
we
can
actually
do
K
k't
vault
and
you
can
see
we
have
a
resource
called
vault
and
we
can
actually
have
one
or
more
of
these
and
each
one
of
these
actually
represent
our
vault
cluster.
So
now,
if
we
do
a
kk
p
o
you
can
see
that
we
actually
the
operator,
has
the
scheduled
pods
in
the
same
namespace
and
implicitly,
the
same
service
account.
A
So
let
me
see
what
other
people
are
saying.
Sean
Smith
says
it's
fine
regarding
clone
I,
mostly
use
git
labs,
so
it
wouldn't
work
for
someone
like
me
to
use
it.
Darin
says
not
that
you
should
ever
run
a
container
from
somebody
in
the
internet,
but
I've
updated
an
image
of
the
vault
operator
to
vault
for
Darwin.
Ok,
so
actually
Darin
brings
up
a
really
good
point.
A
If
you
I'm
gonna
pick
on
Kelsey
again,
if
you
go
and
you
look
at
Kelsey's
repo
I
noticed
this
the
other
day
I
would
want
to
grep
for
Hightower
labs.
So
you
can
see
here,
he's
actually
pulling
this
vault
and
knit
pod
that
we
have
no
idea
what
this
is
and
we
have
no
idea
how
it's
getting
built,
although
I'm
sure
Kelsey
has
done
his
homework
and
has
like
a
copy
of
his
docker
file
somewhere-
and
it's
been
a
good
engineer.
A
I
just
don't
see
a
docker
file
here
in
this
repo,
so
there's
a
little
bit
of
like
black
magic,
going
on
that
I'm
sort
of
detached
from
so
just
again
concerns
going
off
of
what
Darin
said
about
just
blindly
running
containers
from
people
on
the
Internet.
It's
pretty
much
the
same
as
just
downloading
a
static
binary
and
just
running
it
and
hoping
that
whoever
created
the
binary
didn't
put
anything
malicious
into
it.
But
that's
really
really
easy
to
do.
A
Okay,
so
and
Mishra
says
Kelsey's
project
uses
the
auto
unseal
features
what
I
meant
sorry,
the
chat
is
lagging
behind
a
few
seconds.
Okay,
so
Mishra
just
hit
another
point
that
I
should
bring
up
because
the
chat
does
lag
behind.
The
complete
sentences
are
super
helpful
so
that
we
can
sort
of
communicate
back
and
forth
so
really
appreciated.
Thanks
for
your
elaborating,
Mishra
and
Darren
says
especially
a
security
software,
okay,
I'm
assuming
that's
another
case
of
the
chat
lagging
behind
because
I
don't
understand
what
especially
security
software
means
at
this
particular
moment.
A
Okay,
so
let's
go
back
here
to
the
vault
operator,
okay,
so
we
can
now
get
pods.
Let's
just
go
ahead
and
see
I
hope
these
things
they're
doing
so
kay
get
P,
Oh,
beautiful,
I
love
when
everything
just
says
running
like
that
and
everything's
ready
and
it
like,
looks
all
happy.
It's
like
really
really
exciting.
Okay,
so
you
can
see
now,
we've
got
a
few
things,
so
we've
got
the
vault
operator
which
again
this
is
the
layer
of
software
that
schedules
vault
itself.
A
Then
we've
got
to
vault
at
CDs
that
were
created
by
the
vault
operator
as
a
data
store
or
three
of
them,
and
then
we
have
to
vault
pods
themselves.
So
this
is
actually
where
vault
is
running
it's
in
these
pods
and
if
we
actually
go
and
pull
logs
on
them
f.
Oh,
we
also
have
to
specify
a
container
C
will
do
vault
the
vault
container.
You
can
see
here
that
we've
actually
were
actually
running
the
vault
software.
A
A
Maybe
no
I'm,
not
sure,
let's
see
kubernetes
off
method
yeah.
This
is
where
we
want
to
go
so
installing
balton
right
here
so
vault
project
at
I/o,
docs
install
index.html.
This
is
actually
what
the
pot
is
doing.
Is
it's
gone
through
and
it's
done
an
installation
or
it's
probably
already
baked
in,
and
it's
actually
running
involved
for
us.
So
that's
where
vault
itself
is
running
so
then,
if
we
go
back
to
our
vault
operator,
let's
see
it
says,
get
the
vault
pods
check
the
vault
see
our
status
okay.
A
A
Not
only
do
we
get
a
ton
of
really
handy
mate
in
for
about
what
is
actually
going
on
and
we
can
see
things
like
if
we
have
annotations
and
when
it
was
created
and
what
namespace
it's
running
in
but
more
importantly,
we
have
the
status
section
down
here
where
it
actually
gives
us
really
handy
information
like
oh
it's
running
on
port
80,
200
and
it
the
cluster
itself
is
not
initialized.
So
this
is
specific
vault
information
that
kubernetes
is
giving
us
that
the
operator
is
able
to
sort
of
be
the
liaison
between.
A
A
So
we
can
go
here
to
the
vault
usage
guide
again
here,
I'm
going
to
go
back
and
do
this
again,
it's
right
here,
it's
under
the
using
the
vault
cluster
vault
usage
usage
guide.
This
is
a
this
is
like
where
I
spent
most
of
my
time
as
I
was
learning
about
fault.
Earlier
this
week
it
talks
about
using
the
vault
CLI
Davis
has
great
tip
on
the
oh
yeah
mole
yeah,
we're
going
to
get
to
so
AB
dumb
nor
says
export
vault
adder
in
chat.
A
What
operating
system
and
architecture
are
you
running
on
and
they
always
build
like
I,
think
more
so
than
any
other
open
source
team.
They
always
build
a
ton
of
in
architectures
I
mean
they
even
offer
a
vault
on
Solaris
here,
which
is
pretty
insane
so
hats
off
to
them.
So
anyway,
you
would
download
that
binary
move
it
to
your
path,
probably
to
mod
it.
To
executable
and
then
you
should
be
able
to
just
type
fault,
yeah,
so
vaults,
up
and
running.
A
So
if
I
try
to
do
a
vault
status
right
now,
you
can
see
that
that's
one
of
these
secondary
commands
here
in
our
very
familiar
go-go
program
output.
If
I
try
to
do
a
vault
status,
we're
gonna
get
an
error
and
it's
gonna
say:
checking
still
status,
get
HTTP
unable
to
dial
TCP
if
you've
written
golang.
This
little
connect
connection
refused.
That's
very
familiar.
That's
coming
out
of
the
ghost
standard
library.
So
what
that's
telling
me
is
for
some
reason:
we
can't
talk
to
the
vault
cluster,
which
we
cannot,
because
we
haven't
poked
a
hole.
A
Well,
we're
not
really
poking
a
hole
in
a
firewall,
we're
doing
some
port
forwarding
from
my
local
to
the
kubernetes
cluster.
But
if
we
go
back
to,
let's
go
back.
What
like
four
or
five
pages
here
we
go
here,
we
can
actually
see
that
this
handy
command
here
will
actually
do
the
port
forwarding
for
us.
Let
me
go
back:
where
did
this
thing?
Go
vault
operator,
vault
usage
guide
again
and
let's
see
what
this
command
does.
A
So
it
says,
get
vault
and
then
it
does
Jason
path
and
it's
gonna
pull
the
status,
sealed
pipe
it
2x
argh
and
then
do
a
port
forward
on
it.
So
basically,
this
is
going
to
look
up
our
vault
cluster
and
do
a
port
forward
on
port
80
200
for
us
in
one
fell
swoop,
which
is
super
handy
vault
services,
core
OS
example
not
found.
So
let's
see
get
vault.
We
want
to
change
this
to
TGI
K.
A
What
is
it
k
get
vault
I
was
called
TGI
K
dash
vaults.
So
let's
go
back
default,
get
involved.
A
lot
of
vault
I
feel
like
the
word.
Vault
is
slowly
losing
meaning
I,
keep
saying
it:
okay,
perfect,
okay!
So
now
we're
forwarding
in
port
8200
on
to
the
queue
Bechdel
port
forwarding,
so
we
be
able
to
actually
hit
the
vault
API
now.
A
So,
let's
open
up
a
second
window
here,
zoom
in
for
folks
at
home,
and
now
we
can
run
a
vault
status
because
it
doesn't
contain
any
IP
sans
Oh
err,
copying
from
local
connection
to
remote
stream,
read
TCP
for
connection
reset
by
peer.
This
did
not
happen
last
time,
I
wonder!
If
it's
because
I
changed
that,
let's
go
back
and
change
our
name
back
to
example,
if
something's
baked
into
the
example
along
the
way,
so
let's
do
change
directory
go
source.
A
Capcom
go
back
to
core
OS
vault
operator
Emacs
example
mike
says
HTTP,
so
I'm
assuming
Mike's
is
suggesting
that
we're
using
their
own
protocol
here,
I'm
gonna
go
back
and
just
do
apples
to
apples
because
I
have
this
thing
working
earlier
and
if
that
doesn't
work,
we
can
poke
around
and
see
if
it's
HTTP
or
HTTPS
or
what's
going
on
this
just
worked
out
of
the
box
art
for
me
earlier.
So
don't
want
to
spend
too
much
time
fighting
with
TLS.
If
we
don't
need
to
okay,
so
Emacs
example.
A
So,
let's
change
this
to
back,
to
example,
save
and
exit
kay
delete,
vault
and
I
guess.
This
is
a
really
good
example
of
why
operators
are
also
a
better
pattern,
because
you
can
create
involute
clusters
very
easily.
Now
that
you
have
the
operator
up
and
running
so
kay
delete
vault,
we
called
it
TGI,
K
vault
and
let's
go
ahead
and
K
apply
and
we're
going
to
create
the
example
vault
with
the
older
name
to
see.
If
that
fixes
our
little
problem
here
for
us.
Okay,
so
example,
example
vault,
oh
cool.
A
So
if
we
can't
get
P,
oh
you
can
see
we're
terminating
some
of
the
old
ones
and
we're
probably
about
to
start
bringing
up
some
of
our
new
ones,
so
yeah.
Here's
our
example
at
C
D.
So
the
operator
is
slowly
tearing
down
some
pause
and
slowly
bringing
up
some
others
and
hope.
Hoping
that's
gonna
fix
our
fault
problem
here.
So
let's
run
this
command
again,
but
this
time
we're
gonna
be
running
with
get
vault
example.
Instead
of
getting
ball,
TG
I
can't
belt.
Let's
run
that
and
see
what
happens.
Ok.
A
So
what
happened
is
that
pod
is
not
up
and
running
yet
so
that
command
no
work.
So
let's
do
a
cake,
API
and
see
where
we
are
okay.
So
the
example
at
C
D
is
still
initializing.
So
we've
got
a
few
seconds
here
to
wait
on
vault,
coming
up
any
questions
from
anybody
so
far
about
how
we've
gotten
here
and
how
the
operator
is
working.
How
we're
getting
our
cluster
set
up
feel
free
to
ask
now
and
we'll
continue
to
wait
for
the
operator.
A
Ok,
so
now,
let's
try
our
port
forward
command
again
yay.
So
now
we
have
8200.
So
let's
go
back
to
the
second
tab
and
do
a
vault
status
Snopes
still
having
cannot
validate
certificate
because
it's
not
contained
in
any
IP
sans
so
looks
like
hep
D
I
was
saying:
now
would
be
a
good
time
to
enter
this
swag
giveaway,
TJ
I,
can't
roll
call
the
code
for
the
episode
is
carabiner.
That's
awesome,
I
wonder
if
I
actually
have
a
carabiner
on
me,
I
think
I
have
some
at
my
desk.
A
I
have
a
couple
of
wire
gates,
I
use
for
my
office
badge.
So
have
you
looked
seven
lucky
listeners
will
get
some
great
swag
I
Nova,
try,
setting
TLS
kept
verify
equal,
true,
okay,
so
I
think
folks
are
reminding
me
that
I
might
have
skipped
something
the
docks
and
forgot
to
export
a
handful
of
things.
Also
I
shout
out
to
Reggie
Rio
for
calling
me
Nova.
Thank
you.
I
appreciate
that
yep.
So
folks
are
all
like:
hey,
hey
export
all
this
stuff.
A
So
let's
do
this
in
this,
of
course,
which
is
number
three
so
I'm
just
jumping
the
gun
here
so
now,
we're
gonna
do
volt
skip
verify
equal
to
true
in
vault
status,
okay,
good!
This
is
what
we
want.
Okay,
so
wasn't
that
the
name
of
the
cluster
was
actually
TLS.
We
weren't
an
abling
a
certain
flag.
So
that's
good
to
know.
A
Rogerio
says
you're
well
and
folks
are
just
like
yeah
I
know
about
what
are
you
doing?
You're
you
skipped
step.
Two!
It's
gonna
fix
all
your
problems
and
Shawn
Smith
says
he'll.
Do
black
girlcode
is
great
I'm
gonna
be
running
the
charity
stream
to
send
some
donations
their
way
next
month.
Awesome
thanks
for
the
update,
Shawn,
okay.
So
going
back
here
make
sure
you
export
your
environmental
variables
and
don't
forget
this
one
vault
skip
verify
equal
to
true
so
that
you
don't
have
the
same.
Bugs
I
did
and
then
you
can
run
a
vault
status.
A
Okay.
So
now,
for
the
moment,
everyone's
been
waiting
for,
let's
talk
about
ceiling
and
unsealing
a
vault
cluster.
So
if
you
go
back
to
the
vault
documentation,
you
can
come
here
to
concepts,
and
you
see
we
have
this
thing
called
a
seal
and
unseal,
and
this
is
where
this
is
actually
the
Wikipedia
article
I
had
in
the
TJ
notes
earlier.
This
is
where
we
actually
learn
about
Shamir
secret
and
how
this
whole
thing
works.
So
this
first
paragraph
is
actually
really
solid
documentation.
It
says
the
data
store
by
ball
is
encrypted.
A
Vault
needs
the
encryption
key
in
order
to
decrypt
the
data.
The
encryption
key
is
also
stored
with
the
data
but
encrypted
with
another
encryption,
key
known
as
the
master
key.
The
master
key
isn't
stored
anywhere.
So
it's
just
several
layers
of
encryption
and
security
to
actually
have
the
keys
to
the
kingdom
here
and
what's
interesting
is
like,
if
you
actually
think
of
like
a
bank
vault,
like
you
know
like
the
in
the
movies
like
with
the
big
like
dial
or
whatever
ceiling
and
unsealing,
that
vault
would
basically
be
like
locking
and
unlocking
that
vault.
A
The
ball
is
wide
open
and
you're
able
to
get
things
out
of
it
so
by
default
it
says
the
unsealed
process
is
it's
done
by
running
vault
operator
unseal,
but
by
default
it
starts
off
sealed
and
we
have
to
do
some
initial
age
initialization
stuff
as
well,
and
it
says
once
a
vault
is
unsealed.
It
remains
unsealed.
Until
one
of
two
things
happens,
it's
either
resealed,
which
we
can
do
that
from
the
command
line
tool
through
the
API
or
you
can
just
restart
the
server.
A
So
if
you
have
your
vault,
that's
open
and
your
vault
server
crashes,
it
will
Reese
are
itself
in
humanities,
sealed
so
just
important
security
concerns
to
be
aware
of
as
you're
looking
at
running
involved
on
kubernetes.
So
let's
go
back
to
our
documentation
and
again
I'm
gonna.
Follow
the
steps
here,
so
I
don't
skip
anything.
Let's
see
what
folks
are
saying:
Auto
unseal
is
a
hugest
issue
that
we
encountered
when
we
installed
vault
as
deployment
via
helm.
Happy
now,
with
this
operator,
we
have
to
migrate
so
yeah.
A
So
there's
an
auto
unseal
bit
of
functionality
involved
that
will
actually
I
think
Auto
unseal
your
vault
cluster,
so
that
you
can
make
in
getting
and
storing
secrets
in
it
automatically
and
by
default.
The
operator
starts
off
without
that
bit
of
functionality
enabled
okay.
So
let's
see
here
verify
that
the
vault
server
is
accepting.
A
So
this
is
like
whenever
you
get
like
the
root
password
to
a
server
for
the
first
time
like
you,
want
to
put
this
somewhere
safe
and
make
sure
that,
like
you're,
not
giving
these
things
away
and
probably
also
change
them
after
you
do
it,
but
you
can
actually
initialize
your
vault
there's
documentation
here
on
actually
doing
this
and
to
do
it,
you
type
Balt
operator
in
it,
so
the
operator
command.
Let's
actually
look
at
that
really
quick
vaults
operator
H.
A
A
The
operator
as
like
it
would
apply
to
like
a
human
like
a
person
operating
your
vault
cluster,
which
is
also
how
the
operator
pattern
got
named,
but
that's
a
different
talk
for
a
different
day
so
anyway,
just
be
aware
that
vault
operator
has
nothing
to
do
with
a
vault
operator
here
that
we
were
looking
at
okay,
so
vault
operator
an
it.
Oh
and
you
can
also
of
wire
here
and
let's
just
go
ahead
and
take
a
look
at
these.
A
I'm
gonna
share
the
secrets,
because
I'm
gonna
destroy
this
cluster
later
and
I
want
folks
to
see
how
this
is
done
so
like
I,
know,
I'm,
sharing,
secrets
and
they're
not
going
to
be
you're
not
going
to
be
able
to
use
them
afterwards
and
I'm.
Never
gonna
have
vault
exposed
anywhere
on
the
public
internet.
So
here
they
are,
and
I
just
need
to
like
remind
myself
like
it's.
Okay,
Nova,
it's
okay,
to
have
secrets
on
TDI
k
here
are
the
secrets
for
our
vault
cluster.
A
So
if
you
look
here,
we've
got
five
unseal
keys
and
if
you
look
at,
let's
go
back
here,
initializing
the
vault.
This
is
not
where
I
want
to
go.
I
want
to
go
back
to
here.
Yeah
I
want
to
have
two
tabs
open
one
with
our
vault
operator
and
one
with
our
hashey
court
Doc's
here.
So
if
you
actually
look
at
the
seal
and
unseal
and
Shamir's
secret
you'll
notice
that
you
only
need
three
keys
at
a
time
to
sort
of
have
the
master
key
or
to
generate
that
master
key.
A
To
make
sure
no
single
person
has
everything
they
need
to
to
take
down
your
cluster
or
compromise
your
secrets
so
see
it
says
to
overcome
the
issue
that
time
the
workaround
was
to
configure
and
alert
Prometheus
and
then
once
the
vault
restarts
the
alarm
is
triggered,
and
we
do
so
manually.
Ok,
so
again,
I've
dab,
Nora's
talk.
A
My
knees
are
locking
up
abdomen
or
is
talking
about
how
that
they're
dealing
with
the
auto
unseal
future,
and
it
looks
like
they
just
set
up
a
Prometheus
alert
and
somebody
gets
alerted
whenever
they
need
to
take
any
action.
Ok,
so
now
that
we
have
our
unseal
keys,
we
know
that
we
only
need
three
of
them
and
we
also
have
the
second
thing.
This
is
our
root
token.
So
a
token
is
how
you
actually
authenticate
with
vault
just
real
quick
lesson
on
poking
trivia.
Sorry,
my
knees
are
like
going
out
shake
my
knees.
A
Right
now,
token,
trivia,
a
token
needs
to
be
passed
with
every
API
request.
So
if
we
actually
wanted
to
authenticate
with
vault
and
then
actually
store
or
get
a
secret,
you
wouldn't
need
to
pass
a
token,
and
we
are
going
to
talk
more
about
how
to
set
this
up
with
kubernetes
in
a
second.
But
basically
this
is
the
the
first
token
that
allows
us
to
write
secrets
and
to
actually
interact
with
our
our
vault
cluster.
So
we'll
need
to
take
note
of
that
as
well.
A
Okay,
so
next
it
says
unsealing
a
sealed
node.
So
this
command
is
what
we
ran
earlier
and
it's
still
running
in
a
second
terminal,
so
we
can
skip
this
part.
We've
already
done
these
two
environmental
variables
hold
on
one
second
I'm
gonna
have
to
like
my
knees.
Cramp,
you
know,
I
have
like
stretch
it
for
a
second,
so
everybody
like
go
grab
a
cup
of
tea
for
a
second.
A
Mountain
climber
problems:
okay,
also
I'm,
standing
up
here.
If,
if
folks
at
home,
don't
realize
that?
Okay,
so
where
were
we?
Okay,
our
vault
adder
and
our
vaults,
get
verifier
both
set
to
true
and
it
says,
check
the
active
vault
node.
So
let's
go
ahead
and
run
this
doot-doot
doot-doot
and
it
looks
like
somebody's
messaging
me
hold
on
one
second,
somebody,
oh
no
I'm
getting
messages
on
slack
and
I
want
to
make
sure
that
nobody
was
telling
me
anything
important
okay.
A
So
we
did
our
vault
get
example
and
try
to
get
a
status
that
did
not
work
and
we
are
gonna.
Do
this
key
Bechdel
other
command
here,
doo
doo,
doo
I
feel
like
we
skipped
a
step
here.
It
is
okay.
So
again,
this
is
like
pointers
to
other
bits
of
documentation
that
make
it
hard
for
me
to
come
back
to
this.
So
it
says
Sealand
unseal,
a
vault
node.
A
A
A
Did
you
tweak
your
knee
during
vacation,
so
yeah
I
took
a
week
off
My
partner
and
I
we'd.
We
flew
down
to
southern
Utah
in
the
desert
and
did
some
pretty
intense
rock
climbing
for
a
week
and
I
might
have
fallen
and
really
hurt
my
knee
along
the
way
but
I'm.
Ok
it
just
like
cramps
up
if
I
stand
on
it
for
too
long,
but
I
had
a
really
good
time
and
it
was
a
really
fun
trip.
So
that's
good!
So
anyway
we
have
our
vault
cluster
unsealed.
So
let's
go
back
to
our
dogs
here.
A
Ok,
so
I
skipped
ahead
earlier.
It
said
right,
heat
seekers
to
the
active
node.
So
now
we
should
be
able
to
run
this
command
clear
our
screen
and
you
can
see
that
we
actually
got
some
output
here,
which
is
the
specific
pod
that
we're
looking
for.
Okay
and
it
says,
configure
port
14,
which
we
already
have
this
communing
open
a
new
terminal.
So
now
it's
telling
us
to
export
our
vault
token.
So
let's
go
ahead
and
run
this
export
vault
token,
and
we
want
to
do
where
is
it
here?
A
So
the
member
of
the
start
of
route
token?
So
this
is
like
the
master
keys
to
the
kingdom
here.
So
we
have
that
defined,
and
so
now
we
can
do
a
vault
right
in
a
vault
Reed,
so
vault
right,
secret
fool
and
let's
do
a
vault
secret
foo
and
we
should
get
values
equal
to
bar
poof,
okay,
so
here's
an
example
of
us
writing
a
secret
that
we
are
calling
foo.
A
This
syntax
is
specific
to
vault,
as
everything
involved
goes
through
a
generic
right
bit
of
functionality
and
the
secret
folder
is
like
a
special
folder
for
secrets
and
if
you
actually
do
like
a
I
think
it's
vault
list
I
want
to
say
vault
secret
list,
maybe
well!
No,
it
is
vault.
Is
it
ball
list
secrets?
Yeah?
A
Okay,
so
you
can
actually
do
a
vault
list
and
see
that
there's
like
different
directories
that
mean
different
things
and
as
we
get
into
the
world
of
auth
methods
which
we'll
get
to
in
a
little
bit
we're
gonna
learn
that
these
directories
are
actually
quite
important,
but
again,
remember
that
everything
involved
goes
through
a
generic
right,
which
will
be
important
when
we
actually
look
at
our
go
code
here
in
a
second
okay
cool.
So
to
recap:
vault
installed
with
the
operator.
It's
called
example:
not
tgia
vault.
A
We
got
it
up
and
running,
we
unsealed
our
cluster
and
we
have
a
root
token
exported
in
memory
and
we're
able
to
write
and
get
secrets.
So
now,
let's
look
at
how
a
software
engineer
might
actually
go
in
and
start
authenticating
with
vault.
So
if
we
go
to
TGI
ka
episode,
57
I
have
actually
I,
don't
even
think
I've
merged
it.
Yet
let's
pull
this
up.
So
if
you
go
to
github.com
slash
hep
do
slash
TV,
okay,
I
have
a
branch.
So
let's
see
did
I
open
the
pull
request.
I,
don't
think
so
anyway.
A
I'll
merge
it
afterwards,
but
I
have
a
branch
in
Chris
Nova.
If
you
want
to
just
pull
this
up
on
your
end,
Chris
Nova,
TGI
K
today
and
it
looks
like
I
have
57-
is
what
it's
called
and
then
here
in
episodes
scroll
all
the
way
down.
We
have
57
and
here's
our
main
go
file,
and
this
is
what
I
have
pulled
up
locally
on
my
end
here.
So
let's
look
at
this
in
my
my
IDE
okay.
So
here
we
have
the
world's
simplest
go
program.
A
Let's
expand
our
imports
and
you
can
see,
we
have
one
function,
it's
our
main
function
and
we're
going
go
through
the
slide
by
line
in
a
second,
but
this
is
actually
a
good
starting
point
for
us
to
start
looking
on
writing
secrets
with
vaults.
So
there
is
a
vault
API.
If
you
actually
go
and
you
type
going
Balt
client
there,
they
call
it
an
API
and
you
can
find
this.
Is
it
here,
vault
slash
API?
A
So
if
you
actually
go
to
the
Hashi
quark
website,
this
is
what
they
suggest
you
use
for
their
vault,
basically
SDK
or
client.
If
you
want
to
write
some
go
code
to
actually
get
a
secret
or
write
a
secret,
there's,
no
readme
and
there's
no
example,
so
this
was
interesting
to
to
get
up
and
running
so
after
this
is
merged.
This
is
like
a
really
great
example
of
using
vault
with
kubernetes
that
I
haven't
really
found
another
working
example
anywhere.
So
this
is
kind
of
valuable
stuff
here
anyway.
A
Here
is
all
of
the
go
code
for
that
vault
itself
uses
and
that
we're
gonna
be
borrowing
as
well
for
our
small
go
program
here
that
we're
writing
and
I
guess
why
we're
on
that
I'm
going
to
segue
before
we
go
deeper
into
the
code
into
auth
methods?
Okay,
so
if
you
go
here
on
the
vault
documentation,
you
click
on
awesome
essence.
A
These
are
all
different
ways
that
you
would
authenticate
with
vault,
which
means,
if
you're
looking
at
the
inputs
and
outputs
here
each
one
of
these
methods
would
be
responsible
for
getting
you
one
of
those
tokens
similar
to
the
root
token
we
looked
at
earlier,
so
it
suggests,
for
example,
on
developer
machines
to
use
github.
So
if
you're
developer,
it
says,
there's
a
really
easy
way.
A
If
you
look
here
in
order
to
login,
you
do
a
vault
right
and
then,
instead
of
doing
the
secrets
directory,
we
have
one
called
us
and
we
have
one
called
kubernetes
and
this
JWT
is
actually
a
really
bad
name,
because
it's
not
a
JSON
web
token,
but
it's
actually.
The
kubernetes
service
account
token,
which
is
basically
taking
a
kubernetes
level
secret
and
putting
it
into
a
different
system,
which
means,
if
that
was
ever
compromised,
you're,
basically
giving
away
access
to
that
entire
service
account
to
another
system.
A
So
there's
a
bit
of
a
security
concern
there
as
well
and
also
I,
think
this
is
just
a
poor
name:
choice.
Okay!
So,
let's
look
at
actually
getting
this
off
method
installed,
so
we
can
start
to
use
it.
So
if
you
scroll
down
here
to
configuration-
and
we
can
see-
we
have
volt
us
enable
kubernetes,
so
there's
like
a
code
involves
baked
in
that
will
turn
on
the
kubernetes
off
back-end.
So
this
is
stuff
that
our
friends
at
hashey
corp
wrote
for
us.
A
Okay,
so
vault
and
able
kubernetes
success,
enabled
kubernetes
auth
method
at
kubernetes
slash.
So
you
can
see
there's
a
pattern
here.
We
have
the
directory
secrets.
We
have
the
directory
auth
and
now
we
have
the
directory
kubernetes.
So
this
is
how
the
vault
sort
of
stores
all
of
its
stateful
information,
including
your
secrets,
which
is
a
pretty
clever
design,
I
think
so
anyway.
A
What's
going
on
here
for
the
list
of
available
configuration
options,
so
do
I
actually
have
to
get
my
real
kubernetes
ca
cert
in
order
for
the
same
to
work,
I
think
I
do
where
are
we
gonna
get
I
know,
there's
CA
information
stored
on
the
kubernetes
node
itself,
so
let's
go
check
there
so
I'm
thinking
we
want
to
get
the
CI,
sir
off
of
it
our
master
copy
it
here
locally
and
then
try
to
authenticate
with
vault.
Anybody
has
a
better
idea
feel
free
to
to
yell
at
me
now.
A
A
Well,
the
sudo
up
now
for
good
measure
and
I
think
it's
at
C,
kubernetes
I
want
to
say
PKI
Hey,
look
what
I
found
we
have
our
C
a
dot
cert.
So
let's
cat
see
a
dot,
cert
I'm
gonna
do
this
off
the
screen
just
for
good
measure.
Do
I'm
gonna
copy
this
to
my
clipboard
clear
my
screen
and
then
bring
this
one
back
over
here?
A
Oh
and
how
do
I
do
the
tabs
thing
I'm
gonna
cheat
and
create
a
new
tab,
so
I
can
drag
my
old
tab
and
delete
this
terminal
and
there
we
go
Oh
clear
that
all
right,
I'll
just
close
that
terminal
for
now
a
little
bit
of
a
new
tab
and
resume
in
okay.
So
we
have
the
Sierra
cert
in
my
clipboard
and
let's
go
here
and
let's
do
another
nano
to
speed
things
up,
we'll
call
it
ca,
cert
and
I'll
paste
this
off
the
screen
here.
A
And
see
that
okay
cool
so
new
tab
again,
it's
man
resize,
let's
see
what
folks
are
saying
in
chat,
Donal
guy
said:
I
had
to
open
a
browser
so
kind
of
too
late,
but
you
just
need
your
public
key
dot.
Cert
isn't
in
your
cube,
config,
so
yeah
I
think
it
is,
but
I
thought
that
was
I.
Don't
think!
That's
the
actual
raw
cert
material
I
thought
it
was
something
else,
but
either
way
I'll
try
that
Donald
as
a
second
approach.
A
If
this
doesn't
work,
so
let's
go
back
and
look
at
our
docs
and
see
what
it
says
here.
Do
you
do,
and
also
thanks
for
joining
helping
me
out?
Donald
I
appreciate
it
so
I'm
wondering
so.
This
is
just
a
great
example
of
poor
documentation,
because
this
doesn't
really
tell
me
concretely
what
needs
to
happen
here
or
what
vault
is
expecting
like
do.
I
pass
in
a
file
here
do
I
have
actually
pasted
my
cert
information.
A
Will
it
work
with
both
so
there's
a
little
bit
of
trial
and
error
here
to
try
to
figure
out
how
to
get
this
kubernetes
config
working?
So
it
says
token
reviewer,
so
I
think
that's
fine,
kubernetes
host,
so
I'm
wondering
if
I
can
just
do
my
kubernetes
host
in
my
CA
cert
directly
for
my
cute
config
and
call
this
thing
a
day.
Let's
try
that
first,
so
we
will
actually
do
this.
A
How
do
I
want
to
do
this?
Let's
open
this
up
as
a
file
here
in
tjk,
so
we'll
just
make
a
bash
script,
we're
going
to
call
this
config
dot
Sh
just
so
we
can
kind
of
like
edit
things
real
time,
then
bash.
So
here's
our
command
and
let's
get
our
hosts
and
paste
it
in
let's
see,
looks
like
Donald
saying
some
stuff.
He
says
the
odd
syntax
is
not
super
common
thing
that
some
programs
do
to
equate
cat.
A
So
it's
a
file
name
in
tin,
foil
matt
says:
yes,
you
can
unsure
what
he's
or
a
tin
foil
matt
is
suggesting.
Yes,
I
can
do
and
again
complete
sentences.
They're
always
helpful,
but
if
you
didn't
put
the
ad
it
would
be
content.
Okay,
I
see
it's
just
some
weird
implied
syntax
that
I've
never
seen
before
and
now
it
looks
like
tin,
foil
matt
says
the
odd
syntax
won't
work
okay.
A
So
what
I'm
gonna
do
is
I'm
gonna,
actually
not
do
the
odd
syntax
and
I'm
gonna
actually
paste
in
my
CA
cert
material
from
my
cute
config
here
you
know
what
Yolo
at
this
point.
If
we're
gonna
do
this,
let's
just
do
it.
A
cat
cube,
slash
config
to
two
and
I
have
a
lot
of
kubernetes
up
and
running
here,
and
none
of
these
are
actual
real
ones.
Any
more
I'll
spare
you
all
me
going
through
my
cube
config
though
so
there's.
B
A
Think
it's
called
men,
maybe
communities,
admin,
yeah,
auth
provider,
access,
token
expiry,
key
client,
cert
cert
data,
okay,
so
this
is
already
starting
to
frustrate
me
that
this
would
be
way
easier
if
there
was
like
a
somebody
like
baked
all
of
this
logic-
and
you
could
just
point
vault
to
your
keep
config
and
it
would
do
everything
I
needed
to
do
so.
This
is
just
frustrating.
Let's
see
what
folks
in
chat
are
saying,
you
need
to
paste
the
whole
cert
in
there.
A
Okay,
so
back
to
my
cube,
config
here
I
know
it's
off
screen,
so
it's
a
bit
hard,
so
I'm
just
trying
to
walk
folks
through
what
I'm
doing,
but
I
am
pulling
up
my
cube
admin
cluster
by
grabbing
for
admin
and
do
that's
gke.
Sorry
I
seriously
have
like
45
kubernetes
clusters
here,
I'm
happen
to
kind
of
go
through
to
figure
out
which
one
we
want
to
use.
So
that's
GTA,
II,
don't
know
what
that
one
is.
Oh,
that's
mini
cube,
more
gke,
more
mini,
cube,
more
cubic
horn.
A
Do
two
more
mini
cube:
okay,
we're
gonna!
Try
this
a
different
way!
We're
gonna
build
these
things
manually.
Okay,
so
for
our
kubernetes
cluster,
our
master
is
here
so
we'll
grab
that
go
back
to
our
bash
script
and
we're
gonna
paste
here
and
that's
listening
on
443
and,
let's
actually
see.
If
that's
here
that
IP
address
is
here
in
my
queue
config.
Let
me
grab
for
that
34
dot
there.
It
is
okay,
cool
and
I
have
certificate
authority.
Data
I
have.
A
Sorry
manually
reading
Yentl
is
always
a
big
pain,
I
guess:
let's
try
cluster
certificate
authority
data,
so
let's
grab
all
of
this
and
I'm
gonna.
Do
this
off
the
screen
as
well.
So
give
me
a
second
here:
judge,
bam
and
bam,
and
now,
let's
go
here
and
actually
this
thing:
okay,
so
I
pasted
the
cert
data
and
at
the
public
IP
address
of
my
master
node
and
change
the
port
to
443.
So
this
should
work.
A
If
we
go
to
that
bash
file
and
run
it
github.com
kept
EOT
dik
episodes
what
episode
of
cantilever
already
on
57
episodes,
okay,
so
Sh
config
Sh,
failed
to
write.
Config
cannot
validate
service
because
one
two
seven
because
it
doesn't
contain
any
IP
Sands
because
of
those
environmental
flags
environmental
variables
again
so
because
I
started
a
new.
A
Terminal
I
lost
those
environmental
configure
bits.
So
now,
let's
try
this
SH
config
error,
making
API
requests
put
permission
denied
Oh,
probably
cuz
I
need
my
root.
Token
defined
again
did
I
lose
my
root
token
I
bet
I
did
if
I
lost
my
root
token,
then
we're
really
Sol
here,
yeah
I
think
I
did
cuz
I
closed.
Maybe
is
it
here
in
the
screen
I
think
we
lost
our
root
token
folks,
cuz
I
closed
that
terminal,
so
yeah,
let's
figure
out
how
to
rekey
with
vault.
Why
not
right?
A
So
we
might
actually
be
like
really
up
up
the
creek
here.
If
I
lost
my
root
token
I'm
assuming
we
need
that
to
rekey
and
if
we
can't
authenticate
with
the
API
might
as
well
new
cobalt
and
start
all
over.
So
let's
see
it
says
when
you
did
cubic
doget
vault,
oh
yeah
mo.
How
did
you
specify
the
operator
information
always
use
Oh
mo,
but
this
space
I'm
reading
David's
comma
in
chat
right
now
the
story
thought
of
you
were
using
a
special
operator,
yeah
well
lol.
A
A
A
Yeah
mo
and
I
know
it
has
our
status
and
everything
in
it,
but
it
should
still
work.
Wasn't
my
point.
I
wanted
to
show
with
folks
so
example
diamo
cool.
So
now,
if
we
do
can't
get
vault,
we
have
an
example.
So,
let's
give
up,
you
know
vault
another
20
or
30
seconds.
Well,
unseal
it
real,
quick
and
we'll
have
root
tokens
and
will
be
backed
off
to
the
races
again
see
operators
they
work
well
in
the
wild.
A
So
I'll
keep
this
terminal
closed.
Let's
see
what
folks
in
chat
are
saying:
Sean
Smith
says
typing
out
root
key.
No!
It's
ok,
Sean
I've
already
gone
through
and
recreate
it.
So
we
can
just
do
any
one
really
quick,
oh
well,
yeah
whatever
and
then
I
guess.
This
is
a
perfect
lesson
like
if
you're
doing
this
for
real.
Once
you
get
this
information
like
put
it
somewhere
like
keep
it
safe,
keep
it
secret.
Alright
boys,
it
keep
it
secret,
keep
it
safe
right
away.
A
Ok,
so
let's
check
and
see
hey
APO,
so
we're
still
waiting
for
that
to
come
up.
So
let's
go
back
to
my
bash
script
here
and
pull
this
thing
back
up,
I'm
only
going
to
share
a
small
portion
of
it,
but
here's
what
we
have
for
folks
at
home
if
they
want
to
see
so
this
I
believe
stays
the
same.
A
Ok,
if
you
want
to
send
it
to
me
on
Twitter
or
slack
or
something
go
for
it,
but
I
have
a
feeling.
I'll
beat
you
here
just
because
the
vault
operator,
nope
still
container
creating
Donald
guy,
says
I
suspect
you
new
to
base64
decoded
okay.
So
that's
why
I
wanted
to
just
log
in
straight
and
get
it
off
the
server,
but
yeah
I
can
do
a
base64,
really
quick,
we'll
grab
that.
So,
let's
see
what
does
it
base64
isn't?
Minus
D
I
always
forget
how
to
do
a
basic
ste
40
code,
minus
capital
D.
A
A
Open
up
our
docker
file
just
to
get
that
off
the
screen,
sharing
secrets
makes
me
so
nervous
cool.
Oh,
let's
go
back
and
check
do
do
k,
get
yo
still
waiting
on
containers
to
create
Donald,
says
capital
D
on
BSD
mac
or
lowercase
D
on
Linux,
yeah,
I
know
it's!
It's
like
one
of
those
commands
that
no
matter
how
many
times
I've
ran
it
I
always
liked
hard,
like
I,
always
have
to
go.
Look
it
up
every
time,
because
it's
just
always
just
different
enough
and
I
run
it
just
infrequently
enough.
So
annoying.
A
Our
notes
doing
Kagan
nodes,
those
look,
fine,
so
I,
don't
see
any
reason
why
kubernetes
wouldn't
be
able
to
create
pods
right
now
is
they're
just
pulling
down
the
vault
image.
What's
going
on
here,
I
wonder
if
there's
some
sort
of
bug
with
the
vault
operator,
if
you
give
it
the
same
name,
let's
try
to
change
the
name,
really
quick.
So
let's
go
go
source,
github,
calm,
dududu,
hefty
OTG,
no.
A
A
T
di
ke
save
ke
delete
vault
example:
ke
apply
f
example.
Example:
vault
IMO
created
K
kit,
Keo,
okay.
So
let's
try
to
run
this
and
hope
for
the
best
and
see
what
happens.
Jeremy
says,
sharing
secrets
makes
me
service
pretty
appropriate
in
a
session
about
vault
yeah.
Well,
it's
one
of
those
things
where
it's
like
just
being
on
the
screen
and
knowing
that
I'm
getting
recorded
like
just
any
time.
There's
a
secret
information.
A
I,
just
kind
of
like
just
like
gives
me
like
hits
that
certain
part
of,
like
my
spine
or
and
like
get
that
off
the
screen.
I
still
like
trying
to
unlearn
the
behavior
there.
It's
just
interesting
but
I'm
glad
you
liked
it
Jeremy.
Let's
check
our
pods
and
see
what's
going
on
now,
hey
this
looks
better
so
yeah.
It
looks
like
we
found
a
bug
in
the
vault
operator
which
looks
like
it
has
a
problem
trying
to
redeploy
the
same
pod
for
some
reason.
A
Bob
says
just
a
cert:
isn't
a
secret
sale
for
normal
PKI
scenarios
have
a
certain
mean
as
long
as
the
private
key
isn't
published,
so
yeah
Bob's,
just
helping
us
out
here
with
understanding
the
true
secrets
in
the
difference
between
just
shared
keys
and
secrets,
which
again
I
just
put
everything
like
it's,
it's
some
sort
of
cert
material,
so
it
should
just
never
be
shared
ever,
and
that
is
usually
my
philosophy.
Okay,
so
can't
get
P,
oh
okay,
so
here's
T
GI
k.
So
now,
let's
do
our
port
forward
thing
again,
which
is
here.
A
A
Bam
is
it
not
running
yet
k
get
bolts,
yeah
there's
one
called
TGI,
K,
Shaun
Smith,
says
gotta,
read
and
see
you
guys
next
time,
stupid,
tinfoil
Matt
says
stupid
question.
How
is
all
different
from
secrets
and
Sean
says
in
girl?
Sorry,
my
bad
you're
good
John
thanks
for
hanging
out
I,
said
yeah
tinfoil,
Matt,
basically,
I
think
what
you're
asking
is,
how
is
Volta
different
from
the
kubernetes
secret
store?
They
both
kind
of
solved
the
same
problem,
although
vaults,
encryption
and
security
behind
the
scenes
is
way
more
advanced.
If.
A
Truly,
storing
secret
information
for
your
org,
something
like
vault
is
exciting
because
it
actually
goes
through
and
does
a
really
nice
job
at
encrypting.
Everything
and
securing
everything.
So
just
more
security
is
the
TLDR
there
Sean
says
see
you
next
time.
Let's
try
to
do
our
port
forward
again,
still
not
wanting
to
work.
A
Okay,
get
vault,
oh
yeah!
Well,
let's
see,
what's
going
on
here,
status,
initialized,
false
phase,
running
updated
nodes:
why
is
the
port
forward?
Tinfoil
Matt,
says
I
see,
makes
sense,
I
thought
they
complemented
each
other,
so
that
goes
back
to
the
dynamic
secrets
that
we
talked
about
earlier:
there's
actually
a
blog
out
there
that
talks
about
how
you
can
use
vault
in
kubernetes
secrets
in
harmony
together,
which
is
a
little
bit
different
than
the
often
of
off
method
that
we're
looking
at
today.
A
Okay,
so
let's
look
at
this
port
forward
command
and
see.
What's
going
on,
okay,
cue
back
the
little
namespace
defaults,
get
vault
T,
gik
output,
JSON
path,
status,
vault
status,
active
and
then
pipe
that
to
port
forward,
so
I
guess,
status,
vault
status
active
is
in
status,
fault
status,
active,
let's
see.
What's
going
on
here,
k,
agay
vo!
A
A
A
Use
this
port
forward.
Oh
I,
see
what
you're
saying
use
this
one
here:
okay,
cuz,
it
looks
like
the
Jason
path
is
different,
good
cause.
These
alts
results
not
sure
example,
and
we
want
to
change
this
JT
GI
k
good,
find
I
thought
they
were
the
same
already
and
use
here.
So
let's
actually
do
that
one
here
and
we'll
just
keep
this
tab
minimized
in
the
background.
Ok,
so
changes
to
T
GI
k,
okay,
port
forwarding
back
and
running
so
we're
gonna.
A
Keep
this
terminal
we're
not
gonna
close
it
and
we're
going
to
do
a
vault
operator
in
it.
Get
our
keys
real,
quick,
we're
just
gonna
write
these
down.
I'm
not
gonna,
commit
this,
but
I
just
don't
want
to
master
info,
whatever
paste
all
that
stuff.
So
now
we
at
least
have
a
copy
in
case.
Anything
does
happen
again
and
now
we
can
do
our
vaults
operator
unseal
again
and
who's
gonna
walk
over
and
paste
her
key
and
we'll
run
it
again
and
paste.
Our
second
one
bam
bam
and
our
last
one
will
get
here.
A
A
Vaults
reach
nope:
where
was
it
on
vault
token
see?
This
is
why
I
checked
export,
vault,
tok
again
equal
to
this
thing.
Okay,
so
now
I
should
be
able
to
do
a
vault
status,
good,
very
good.
So
now,
let's
go
back
and
run
this
config
command
again,
so
we'll
open
up
a
new
tab
for
that
zoom
in
I'm,
just
kind
of
treating
this
tab
delicately
now,
so,
let's
go
to
go
source,
get
calm,
hefty
ot,
gik
episodes,
Oh
57
and
we
should
have
SH
config
dot
si
uh-oh.
A
A
A
Do
some
editing
here,
you
guys,
are
getting
to
watch
me
hack
over
AMA,
okay,
BAM.
Now,
let's
create
our
CA
cert
file,
see
it
would
be
really
nice
if
there
was
a
layer
of
software
doing
this
for
us,
so
I
didn't
have
to
go
through
and
manually
tinker
with
all
this
noise.
Okay,
so
see
a
dot
cert
paste.
A
A
We
can
get
that
in
a
second
if
we
need
to
George,
but
I,
don't
think
we
should
need
that
because
we're
gonna
get
that
from
the
pot
at
runtime,
but
again
not
a
security
expert,
just
trying
to
figure
this
out.
Okay,
oh,
we
were
trying
to
run
our
shell
script
and
that
is
not
there.
That
is
going
to
be
here
in
episode.
57
SH
config
Sh
error
writing
data
Oh
because
we
want
to
run
it
in
this
one
where
we
have
all
of
our
environmental
variables
set.
A
So
actually
I
can
just
do
my
t,
gik
alias
and
then
changed
episodes,
57,
o
57
and
now
run
our
config
dot.
Sh
error
writing.
Aw,
scooper
Nettie's
config
put
no
handler
for
route
Oh
cuz
I
have
to
do
the
kubernetes,
enable
thing
again
so
kubernetes
off
method.
It's
this
thing,
vault
and
auth,
enable
kubernetes
and
know
we
should
be
able
to
run.
A
Why
won't
you
work
ready
data
to
off
kubernetes
air
occurred,
not
a
compact
jws,
so
it
looks
like
Gregory
was
right.
Her
George
was
right.
Sorry,
so
one
way
we
can
get
our
service
account.
That's
going
to
be
relevant
to
later,
because
this
is
gonna
be
how
we
get
it
from
the
pod
is
to
actually
get
a
pod
into
the
default
namespace
and
then
look
on
the
file
system
for
the
service
account
token.
You
can
also
get
it
through
secret,
Susan,
key
Bechdel,
but
I
want
to
do
this.
A
Really
quick,
so
I
can
show
how
we're
gonna
be
mounting
out
on
the
pod
later.
So
if
we
come
into
our
default
name
space,
we
can
actually
do
a
run.
A
debugging
pod-
and
this
is
just
gonna-
run
about
two
latest
in
the
default
name
space.
If
you
don't
see
a
command
prompt
press,
ENTER
press
ENTER
over
here
and
then
remember
earlier,
I
had
mentioned
that
client
go
link,
I
found,
which
is
where
was
it
a
service
account
token?
A
A
A
And
then
we
can
exit
cracks
and
clear
a
screen.
Okay.
So
now,
let's
go
back
here
and
let's
pass
in
our
kubernetes
service,
account
token
that
looks
good
and
Sh
config
dot,
sh
yeah.
We
finally
got
it
tater
written
to
off
kubernetes
config,
okay,
so
super
annoying,
but
we
were
able
to
get
it.
So
you
need
to
get
your
CA
cert
and
this
is
like
gonna,
be
like
a
tongue.
Twister
right,
get
your
sea
cert
information
out
of
the
cute
config
base64
decode.
It
find
your
master
API
server
in
point,
probably
from
your
queue.
A
A
A
Where
is
kubernetes
auth
method?
Okay,
so
we
got
this
step
finally
done
and
it
says
now
create
a
role.
So
you
can
do
this
and
it's
let's
look
at
what's
going
on
here,
so
we're
creating
a
new
vault
entry
called
auth
kubernetes
role
demo.
So
the
name
of
our
role
is
demo
and
we're
gonna
bind
that
to
vault
off
in
namespace
default
and
we're
gonna
give
it
a
TTL
of
one
hour
with
a
default
policy
here.
So
this
is
just
if
you
want
to
find
out
more
about
this.
A
Vault
has
a
ton
of
information,
but
this
is
just
a
vault
ism
for
setting
up
kubernetes
and
giving
us
a
simple
role.
Let's
see
what
folks
are
saying,
Donald
guy
says
pipe
to
context.
Cluster
cluster
CI
sort
data
base,
64,
decode,
CI,
sir
okay,
so
Donal
guy
just
dropped
a
one-liner
and
for
getting
that
out,
which
is
handy.
You
know
if
somebody
wants
to
write
a
bash
script
to
like
basically
take
this
little
command.
I
wrote
and
actually
do
the
lookups
and
do
everything
I
bet.
A
It
looks
like
Waleed
had
a
big
excitement
bit
there.
Okay,
so
now
we're
gonna
get
exciting
stuff
going
on
here
and
I
know
we're
already
an
hour
and
36
minutes
in
so
I'm
sort
of
sitting
here
thinking
how
deep
down
the
rabbit
hole
do
we
want
to
get
because
I
actually
did
put
a
lot
of
work
into
getting
this
go
code
running
and
again,
there
isn't
really
a
good
example
of
this
anywhere
on
the
internet.
So
if
you
want
this,
I'll
merge
it
after
the
episode
here.
A
So
inside
of
kubernetes
we
would
actually
change
this
to
use
cube,
DNS
and
the
name
of
our
deployment.
So
we
would
get
that
by
doing
a
I
can't
get
deploy,
I
think
and
we
have
T
gik.
So
you
could
just
do
HTTP
colon
backslash,
backslash,
T
gik,
and
then
you
would
need
a
service
here
on
listening
on
connecting
port
80
300
to
the
deployment.
So
let's
see
EK
get
SVC
and
we
do
have
one
here
and
it's
on
8200
and
that's
also
called
t
GI
k.
A
So
we
now
know
that
we
would
be
able
to
change
this
from
localhost
to
just
t
GI
k,
which
is
the
name
of
our
deployment.
Okay,
so
you
would
do
that.
You
would
then
call
api
new
client
and
if
you
actually
look
this
API
thing
is
the
actual
Hoshi
Corp
vault
API
go
package
that
we
looked
at
earlier.
You
passing
to
your
config
and
you
can
do
a
logger
critical,
os
exit'.
If
something
goes
wrong,
so
that's
nothing
too
exciting.
You
probably
want
to
have
better
exit
air
handling
there.
A
This
is,
this
is
mounted
on
every
pot
in
kubernetes
automatically,
so
we
have
the
bytes
here
in
memory
and
let's
start
on
commenting
some
of
this
stuff.
So
then
we
start
to
actually
define
our
options
here
and
how
I
was
able
to
structure
this
map.
Interface
is,
if
you
go
I,
think
here
yeah.
So
this
is
a
this
is
where
I
got
it
from.
Is
this
little
snippet
of
Jason
here
so
it
says:
JWT
your
service
account
JWT,
which
remember
that's
just
our
kubernetes
service
account
token,
and
then
we
say
role
is
equal
to
demo.
A
So
that's
the
role
we
just
created.
So
let's
go
back
to
our
go
code
and
we're
gonna
change.
This
to
this
is
just
left
over
for
me
playing
earlier.
Today,
role
is
equal
to
demo,
and
the
MER
just
gonna
take
a
string
of
our
bytes
that
we
got
off
of
disk
earlier.
So
then
we
define
our
path
here
for
our
request,
which
remember
everything
involved
goes
through
a
default
right.
So
all
we're
doing
to
log
in
is
we're
just
issuing
another
write
command
which
again
documentation
on
that
was
also
almost
non-existent.
A
Donal
guy
says
fYI,
your
OBS
setup
is
shadowing
top
chat,
not
live
chat,
so
it
only
shows
second
half
of
my
one-liner,
okay
and
presumably
drops
other
stuff.
Occasionally.
Okay,
thanks
for
the
update
Donald,
if
you
want
to
add
that
to
the
hack,
Andy
or
something
I'm
sure
folks
would
appreciate
it.
The
YouTube
chat
is
just
usually
just
being
it's
just
a
pain.
Okay,
so
anyway
we
define
our
path
that
we're
gonna
do
our
vault
right,
which
is
off
kubernetes
login.
We
then
get
our
secret,
which
is
going
to
be
called
from
doing
client.
A
A
Read,
which
is
this
printf
down
here
at
the
volume
at
the
bottom,
using
our
kubernetes
default
service,
account
and
semester
under
visual
code,
no
I
use
a
goal
and
I
used
to
be
gog
len
now
its
goal
and
which,
let's
see,
can
I
do
like
an
invalid
yeah.
This
is
what
I
used
goal
and
and
I'm
running
two
thousand
eighteen
point.
One
I
actually
paid
for
it.
Just
because
I
know
the
folks
who
work
on
it:
they're
they're,
active,
Gophers
and
they're
friends
of
mine,
so
I
like
to
help
them
out.
A
This
is
one
of
the
few
pieces
of
software
I've
actually
paid
for
in
my
career
cuz.
They
believe
in
it
so
much
so
yeah
I
use
goal
and
and
I
paid
for
it
in
you
should
too
but
yeah.
This
is
an
example
of
some
go
code
and
I.
Think
the
powerful
bit
here
that
folks
at
home
are
probably
interested
in
is
that
as
a
software
engineer,
I
don't
have
to
concern
myself
with
secret
information,
in
other
words,
I'm
able
to
authenticate
and
get
in
write
secrets
at
my
leisure
simply
by
running
in
kubernetes.
A
So
simply
by
having
my
program
running,
kubernetes
I
can
access
this
token,
and
that
token
gives
me
everything.
I
need
to
go
and
interact
with
adult.
So
things
like
my
sequel
credentials
or
anything
that
my
program
would
be
interested
in
using
I.
Don't
ever
have
to
hard
code,
I
don't
ever
have
to
mess
around
with
thought
scene
with
environmental
variables.
A
I
just
have
this
little
read
my
Cooper
tiny
service
account
token
and
then
generate
a
vault
token
from
that
which
of
course,
as
I
mentioned
earlier,
is
terrifying
and
dangerous,
but
it
does
make
my
life
as
a
software
engineer
much
easier.
So
there
we
have
it
some
go
code
if
you
want
to
tinker
with
it
for
a
starting
place
to
work
at
home
and
getting
your
vault
token
and
actually
doing
a
read
and
write
with
vault.
A
That
is
only
possible
by
earning
this
in
kubernetes
I
will
do
my
best
to
tidy
up
this
docker
repo,
but
we
are
way
overdue
on
time,
so
I'm
going
to
zone
out
and
see
if
folks
have
any
questions
or
anything.
So,
let's
see
go
back
to
my
face.
Bam
Here
I
am
tinfoil.
Matt
says
this
will
help
in
rotating
secrets,
also
so
yeah.
So
that's
a
really
good
point
now,
however,
secrets
are
managed
behind
the
scenes
me.
As
a
software
engineer.
I
don't
have
to
care
about
that.
A
My
code,
never
changes
an
operator
can
come
in
and
circulate
secrets
as
often
as
they
want,
and
my
code
will
always
work
and
I
won't
have
to
be
a
code.
Change
or
I
won't
have
to
like
make
it
an
update
to
the
PR
or
anything.
So,
let's
see
what
folks
are
saying,
Aaron
says:
console
template
is
also
really
useful
for
generating
ammo
and
such
from
vault
good
tip.
A
That's
real
similar
to
like
how
some
of
the
sidecar
offi
stuff
works,
as
well
as
just
having
an
int
container
to
do
a
lot
of
them
via
authy
knows
stuff,
but
in
general,
like
yeah,
he
said
containers.
So
basically,
what
he's
asking
is
a
better
way
to
get
secrets
from
vault
to
the
containers
environment,
so
yeah
I
mean
other
than
similar
code
like
we
have
here.
A
I
would
probably
write
a
lot
like
a
package
to
wrap
a
lot
of
this
up
in
and
so
that
a
software
engineer
could
simply
like
vendor
a
package
and
just
say
like
vault
off
and
then
just
poof.
They
don't
have
to
deal
with
any
of
the
token
e-reading
stuff
from
disk
and
we
could
build
like
a
really
nice
complex,
future,
rich
library
around
even
checking
to
see
if
this
file
is
here-
and
you
know
making
sure
that
we
unset
memory
as
quickly
as
possible
and
stuff
like
that.
A
So
that
would
be
my
approach
as
an
engineer
but
again
there's
a
lot
of
ways
to
skin
this
cat.
So
anyway,
we
are
out
of
time.
So
thank
you.
Everyone
for
joining
getting
involved
and
running
and
looking
at
actually
getting
a
pod
running
with
kubernetes
and
connecting
that
up
to
the
kubernetes
auth
back-end,
which
remember,
is
different
than
the
dynamic
secret
stuff,
which
maybe
we
can
do
another
tgia
on
that
in
the
future.
But
yeah
it's
been
great
hanging
out
with
everyone.
A
I'm
gonna
get
this
repo
my
fork
at
the
TGI
K
stuff
up
and
merged
as
quickly
as
possible.
So
folks
can
see
this
code
here,
but
if
anybody
else
has
any
other
questions
feel
free
to.
Let
me
know
it's
been
a
great
episode.
Marco
says
great
and
very
informative
episode.
Thank
You,
Marco
I'm
glad
you
enjoyed
it
thanks
everyone
for
joining
this
is
always
the
weird
part.
A
Cuz
I'm
like
giving
myself
like
an
extra
30
seconds
here
for
the
folks
to
say,
bye
and
giving
folks
another
opportunity
to
ask
questions
that
they
have
questions
tin,
foil
Matt,
says.
Thank
you.
Keep
up
the
good
work
hep
to
you.
It
was
cool.
Marco,
says
time
to
sleep,
I
know:
well,
it's
the
middle
of
the
night
I
think
for
Marco.
They
live
on
the
other
side
of
the
world.
A
Okay,
but
it's
been
really
rad
joining
everyone,
so
thanks
for
joining,
if
you
have
any
questions
hit
me
up
on
Twitter
hit
me
up
on
slack
I'm,
always
here
I'm
down
to
talk.
Oh,
let's
see
what
folks
are
saying
now.
Zolt
says
this
was
great
thanks
again
have
a
great
weekend
while
he
says
thank
you
and
have
a
nice
weekend
samosas.
Thank
you
for
the
tutorial.
Keep
up
the
good
work.
Donald
thanks
for
your
help
today,
especially
with
the
base64
stuff.
That
was
really
bad.
A
Marco's,
like
he
said,
going
back
to
bed,
Jeremy
says
things
as
usual
and
I.
Somebody
else
ed
thinks
I'm,
not
gonna.
Try
to
mispronounce
your
name!
Sorry,
okay,
it's
been
rhod,
we'll
see
everybody
next
week.
If
you
have
any
ideas
for
next
week,
hit
me
up
on
Twitter
and
I.
Am
gonna,
go
home
and
get
ready
for
Thanksgiving
and
I'll,
be
climbing
Mount
Hood
the
North
Face
this
weekend.
So
if
anybody
is
on
the
north
side
of
Mount
Hood,
look
up
on
that
nice,
open,
North,
Face
and
look
for
a
red
jacket.