Golden images made simple – Automating infrastructure with HashiCorp Packer and HCP Packer Registry

In modern cloud environments, consistency and security are critical, yet many teams still rely on manual image creation or scattered automation scripts. This often leads to configuration drift, outdated software, and challenges in scaling infrastructure. HashiCorp Packer solves this problem by enabling teams to create automated, reproducible machine images across multiple clouds. With Packer, you can build golden images that are preconfigured, secured, and ready to be deployed in any environment.

But building images is only half of the story. Managing and sharing them across teams, environments, and regions can be just as complex. This is where HCP Packer Registry comes in. By integrating Packer with HCP Packer, you gain a central service to track image versions, manage lifecycle stages, and promote builds across channels like development, staging, and production. This eliminates the need to hardcode AMI IDs or manually distribute image references. Instead, Terraform and other automation tools can consume the latest approved image directly from HCP.

In this session, I will walk through how to create golden images using Packer, push image metadata into HCP Packer Registry, and integrate this workflow into Terraform for seamless deployments. Attendees will learn how to standardize infrastructure, strengthen security posture, and simplify cross-cloud image management with a practical, demo-driven approach.

Set up secure secret management: Vault, Packer, Terraform, GCP, Kubernetes

In today's cloud-native ecosystem, managing sensitive information such as API keys, passwords, and certificates securely is paramount. This talk delves into the integration of robust secret management practices using HashiCorp Vault, Packer, and Terraform within a Google Cloud Platform (GCP) and Kubernetes environment. Attendees will learn how to set up a secure secret management pipeline that ensures secrets are stored, accessed, and rotated securely.

The session will cover the deployment of Vault as a centralized secrets manager, the use of Packer to create secure machine images, and Terraform for infrastructure as code to automate and enforce security policies. Additionally, we'll explore how to seamlessly integrate these tools with Kubernetes to manage secrets at the application level, ensuring a secure and scalable cloud infrastructure. Whether you're a DevOps engineer, cloud architect, or security professional, this talk will provide you with practical insights and best practices to enhance your secret management strategy.

Attendees will gain a deep understanding of key concepts like auto unseal and manual unseal, exploring their configurations and use cases. The session will highlight practical implementations tailored to meet compliance requirements and show how Vault can simplify secret management in hybrid and multi-cloud environments.

By the end of this talk, participants will walk away with actionable insights on setting up and securing their secret management systems, as well as tools and techniques to ensure scalability and maintain compliance.

Technical Requirements:

Basic understanding of cloud computing, Kubernetes, and infrastructure-as-code (IaC) tools. A Google Cloud Platform (GCP) account with billing enabled. Packer, Terraform, and kubectl installed on your local machine. HashiCorp Vault CLI installed for testing and interaction.

Outline

1. Why We Need Vault:
Importance of secure secret management.
Risks of hardcoding secrets or using insecure storage.
Benefits of using HashiCorp Vault for dynamic secrets, encryption, and access control.

2. Creating a Hardened Vault Image with Packer:
Walkthrough of the Packer template and shell script.
Best practices for hardening the VM image.
Storing the image in GCP for reuse.

3. Configuring Vault for Auto-Unseal Using GCP KMS:
Explanation of Vault's sealing/unsealing mechanism.
Setting up GCP KMS for auto-unseal.
Modifying the Vault configuration (`config.hcl`) to enable auto-unseal.

4. Terraform Setup for the Environment:
Explanation of Terraform files to deploy the hardened Vault image.
Creating a managed instance group, autoscaling group, and load balancer.
Applying the Terraform configuration to provision the infrastructure.

5. Service Account and ClusterRoleBinding in Kubernetes:
Creating a Kubernetes service account for Vault.
Defining a ClusterRoleBinding to grant necessary permissions.
Ensuring secure access to the Kubernetes cluster.

6. Role and Policy for Vault Authentication:
Configuring Vault roles and policies for Kubernetes authentication.
Testing the authentication flow.
Ensuring least privilege access for applications.

7. Uploading Your Secrets:
Demonstrating how to store and retrieve secrets in Vault.

8. Closing:
All code snippets and configuration files will be shared via a GitHub repository for easy access.