HashiCorp and Red Hat, better together

We recently announced that HashiCorp is officially a part of IBM. Now, we’re focusing on how we can deliver a “better together” experience for users and customers of our mutual products. We have a lot of great things planned.

One of the opportunities we have heard great enthusiasm for — and is actively part of customer solutions today — is HashiCorp Terraform with Red Hat Ansible Automation Platform and HashiCorp Vault with Red Hat OpenShift. In the coming months, we plan to collaborate with Red Hat to explore even deeper connections between these offerings, and we’ll share more details as soon as we can. In this blog post, I’ll share some of the opportunities we see here.

»End-to-end infrastructure automation

We built HashiCorp Terraform to be a powerful provisioning tool around the core idea of infrastructure as code. This enabled version control, automation, and reusability of code. The nature of being a provisioning tool means Terraform is very good at laying down the foundations of infrastructure, tracking the current state, and determining what changes need to be made — making it an ideal control point for infrastructure management.

Beyond the initial Day 1 provisioning, there is a wide range of Day 2 operations, including things such as drift detection, image management and patching, rightsizing, and configuration management. As we have developed Terraform, some of those Day 2 operations such as drift detection have been built into our Terraform commercial products, HCP Terraform and Terraform Enterprise, while other operations extend to purpose-built tools like HCP Packer for image management or Red Hat Ansible for configuration management.

Red Hat Ansible is a purpose-built operational management platform, making it easier to properly configure resources after their initial creation, but also to evolve the configuration after set-up, and then execute ad hoc playbooks to keep things running reliably and more securely at scale. Even at HashiCorp, we use Red Hat Ansible internally for our configuration management and Day 2 operations.

While many organizations use Terraform and Red Hat Ansible together — using supported “provisioners” to invoke configuration management tools such as Ansible, as part of initial resource creation — we think the integration can be much better. A few examples we plan to investigate to make it a first-class, better-together experience include:

• Red Hat Ansible inventory generated dynamically by Terraform. As you provision infrastructure with Terraform, keeping inventory up-to-date should be transparent for users.
• Official Terraform modules for Red Hat Ansible, making it easier to trigger Terraform from Ansible Playbooks.
• Red Hat and HashiCorp plan to officially support the Red Hat Ansible provider for Terraform, making it easier to trigger Ansible from Terraform, and deeper integration with Red Hat Ansible.
• Evolving Terraform provisioners to support a more comprehensive set of lifecycle integrations.
• Improved mechanisms to invoke Ansible Playbooks outside of the resource provisioning lifecycle.

While there is a long list of ideas we are excited about, the end goal is simple: no more manual integration, no more custom glue code, and more focus on seamless automation across the entire infrastructure lifecycle.

»Secured-by-default application platforms

We built HashiCorp Vault to provide a modern identity-based approach to security. Rather than depending on static credentials and private networks, Vault enables fine-grained policies based on application identity and automation of credential delivery and rotation. Vault has grown to support a wide range of use cases, such as issuing dynamic secrets, acting as a certificate authority, providing a signing authority for tokens, data encryption and tokenization, brokering identity between various systems, and much more. While these capabilities are powerful building blocks, they are only useful when integrated with applications.

Red Hat OpenShift provides a comprehensive application platform, built on Kubernetes. The OpenShift platform makes it easier for application teams to develop cloud-native applications by addressing the full lifecycle of applications, including CI/CD, artifact management, blue/green deployments, and more. Beyond just Kubernetes, OpenShift makes it easier to use key CNCF technologies like Helm, Istio, Argo, and more.

It’s not surprising that many of our users combine Vault with OpenShift for secrets management, certificate automation, and data encryption. While we have partnered on this integration with Red Hat for years, we see further opportunity to streamline and deliver a “push-button” OpenShift + Vault experience so your application platform is secured by default. We want to reduce the number of configuration points that users need to set up and maintain. This will make it faster to get up and running, and reduce the burden of keeping the systems up to date.

We’ve identified dozens of connection points between Vault and OpenShift, including key components of the broader CNCF landscape, including, for example:

• Vault Secrets Operator
• Etcd data encryption
• Argo CI/CD
• Istio certificate issuance.

We will work to prioritize these opportunities based on feedback from our community and customers. We believe that application platforms should be secured by default, and with Vault and OpenShift, we can make that the easy option.

»Broader portfolio synergies

In this blog post we talked about two specific integrations — between Terraform and Red Hat Ansible, as well as Vault and OpenShift. However, there is a broad set of IBM technologies that we are exploring deeper collaboration with and that we will talk more about in the coming months.

For example, we see a compelling opportunity to bring native FinOps capability to Terraform with Apptio as customers try to get better visibility and control over cost. We also want to extend the zero trust approach Vault enables to a wide range of IBM and Red Hat solutions including Red Hat Ansible, IBM Guardium, and even IBM Z systems.

Stay tuned, this is only the beginning. We’re excited to work with our community and customers to shape what comes next.