DevSecOps Part 7: Embracing Containers for Infrastructure as Code

Containers have become a cornerstone of modern Infrastructure as Code (IaC). They offer a suite of benefits that are essential for ensuring that applications run smoothly across multiple environments. At their core, containers provide:

• Consistency: With container images, developers can ensure that an application runs identically regardless of whether it’s on a development machine, in a testing environment, or deployed in production. This consistency reduces the notorious “works on my machine” problem and helps streamline the development cycle.
• Reusability: Container images are designed to be easily deployed across various platforms and environments. This not only saves time but also conserves resources by reusing pre-configured environments.
• Risk Minimization: By isolating applications, containers can significantly reduce conflicts over system resources. Should an application encounter issues during runtime, containers allow for a quick restoration without impacting other applications. This isolation also helps contain any security vulnerabilities, ensuring that a single application’s failure does not compromise the entire system.
• Portability: Containers are versatile and can run on different operating systems and hardware platforms, making them ideal for a wide range of deployment scenarios.

In essence, the use of containers in IaC enhances automation, improves application portability, and increases system reliability through consistency—a critical combination for modern DevOps and cloud-native environments.

Building Containers with Dockerfiles

At the heart of container technology is the Dockerfile—a configuration file that dictates how container images are built. Every project employing containers for IaC starts with a Dockerfile placed in the project’s root directory. This file contains a series of instructions that define the build process for the container image, including:

• Defining the Base Image: The Dockerfile starts with a FROM instruction that specifies an existing container image. For example, in a scenario involving Cosign (a tool used later in the CI/CD pipeline), the Dockerfile refers to a pre-built image that includes the Cosign binary.
• Setting the Entrypoint: The entrypoint command, defined by the ENTRYPOINT instruction, determines what gets executed when the container starts. In our Cosign example, the entrypoint is set to launch the Cosign binary.
• Handling Dependencies: Beyond the basics, many applications require additional files and dependencies. These are integrated into the image using various Dockerfile instructions to ensure that when the container starts, all necessary components are available.

Developers can manually build container images by running commands such as docker build ./ -t NAME, provided that the Dockerfile resides in the current working directory. This process isn’t isolated to one type of container—similar steps are used to build images that include security tools (e.g., for Terraform) using base images like Alpine Linux. Alpine is favored because of its minimal footprint, which makes it an excellent foundation for a secure, efficient container image.

CI/CD Pipelines: Orchestrating Automated Deployments

Without a CI/CD pipeline, the integration, testing, and deployment of applications would be a painstaking manual process. The goal of a CI/CD pipeline is to automate these tasks, reducing manual errors and accelerating the release cycle. In this ecosystem, containers and Terraform modules play a crucial role.

Container CI/CD Pipeline

The pipeline typically begins with a build stage where a Dockerfile is used to generate a container image. For instance, when using GitLab CI/CD, you can have the following stages:

• Build Stage: A job is created to build the container image from the Dockerfile. Often, a Kubernetes executor paired with Kaniko (a tool for building container images in Kubernetes clusters) is used to securely build the image. Kaniko takes care of authenticating with DockerHub, ensuring that sensitive credentials aren’t hard-coded in the source.
• Sign Stage: Once the image is built, it must be signed to verify its integrity. Here, Cosign comes into play. A dedicated stage uses the Cosign container image to sign the built image, ensuring that any tampering is detectable. The signing process involves authenticating with a private key and later verifying the signature to confirm that the image hasn’t been altered.

The following sample shows how to use Kaniko during the build stage:

build:

  stage: build

  image:

    name: gcr.io/kaniko-project/executor:v1.9.0-debug

    entrypoint: [""]

  script:

    - mkdir -p /kaniko/.docker

    - echo "{"auths":{"$DOCKERHUB_INDEX":{"auth":"$(echo "$DOCKERHUB_USERNAME:$DOCKERHUB_PASSWORD" | base64)"}}}" > /kaniko/.docker/config.json

    - /kaniko/executor

      --context "$CI_PROJECT_DIR"/

      --dockerfile "$CI_PROJECT_DIR"/Dockerfile

      --destination "$DOCKERHUB_USERNAME/$CI_PROJECT_NAME:${CI_COMMIT_TAG}"

  rules:

    - if: $CI_COMMIT_TAG

In the following, we show how to use Cosign to sign an image:

sign:

  stage: sign

  image:

    name: legoland/cosign

    entrypoint: [""]

  script:

    - cosign login ${DOCKERHUB_INDEX} -u ${DOCKERHUB_USERNAME} -p ${DOCKERHUB_PASSWORD}

    - cosign sign --key ./cosign.key -a "author=${CI_COMMIT_AUTHOR}" "${DOCKERHUB_USERNAME}/${CI_PROJECT_NAME}:${CI_COMMIT_TAG}"

  rules:

    - if: $CI_COMMIT_TAG

Terraform Module CI/CD Pipeline

Terraform modules, which help define and manage infrastructure, also benefit from a dedicated CI/CD pipeline. A typical pipeline for Terraform modules includes the following stages:

• Validate: This initial stage checks the syntax and configuration of the Terraform module. Tools like TFSec and TFLint are used to inspect for security vulnerabilities and configuration errors. These tools ensure that the module adheres to best practices and is free from common pitfalls.
• Plan: In this stage, Terraform generates an execution plan. This plan outlines the changes that will be made to the infrastructure, serving as a preview that can be reviewed before any modifications are applied.
• Deploy (Apply): With the plan validated, the next stage applies the changes to the infrastructure. This ensures that the planned changes are executed correctly.
• Destroy: For testing purposes, infrastructure may be spun up and then dismantled after validation to prevent unnecessary resource consumption.
• Upload: After all stages complete successfully, the tested Terraform module is uploaded to an Infrastructure Registry (such as GitLab’s registry), making it available for developers in other projects.

By automating these steps within the CI/CD pipeline, organizations ensure that any changes to the infrastructure are thoroughly tested and secure before reaching production.

For example, tfscec can be used during the validate stage as follows:

tfsec:

  stage: validate

  image: tfsec/tfsec

  script:

    - tfsec .

    - tfsec test

  rules:

    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'

Managing Secrets with Vault

While CI/CD pipelines streamline the build and deployment process, managing sensitive data such as API keys, tokens, and certificates remains a critical concern. Traditionally, such secrets might be stored in CI/CD variables (e.g., in GitLab), but this approach can expose them to risks if not handled properly. Enter HashiCorp Vault—a tool that centralizes the management of secrets and protects sensitive information.

Vault Deployment and Configuration

Vault can be deployed either in the cloud (via the HashiCorp Cloud Platform) or on-premises. For on-premises setups, administrators use the Vault CLI along with a configuration file written in HashiCorp Configuration Language (HCL). A typical configuration might include:

• Server Address and TLS Settings: Administrators define which addresses can access the Vault server and, for testing purposes, might temporarily disable TLS (though TLS should always be enabled in production for enhanced security).
• Storage Path: Vault stores its data in a specified path, ensuring that all secrets are saved in a secure, local location.
• User Interface Activation: Enabling the graphical interface allows administrators to manage the Vault server with ease.

A sample configuration guides users through setting up the Vault server and launching it with a command such as vault server -config /PATH/config.hcl.

listener "tcp" {

  address     = "192.168.178.107:8200"

  tls_disable = 1

}

storage "file" {

  path = "/Vault/data"

}

disable_mlock = true

ui = true

Integrating Vault with CI/CD Pipelines

To ensure that sensitive data is not hard-coded or exposed in CI/CD pipelines, Vault is integrated to manage these secrets dynamically:

• JWT Authentication: The CI/CD pipeline authenticates with Vault using JSON Web Tokens (JWT). For GitLab, the CI_JOB_JWT variable provides the necessary credentials to verify the identity of each job.
• Defining Policies and Roles: Vault’s power comes from its policy-based approach. Administrators define policies that specify which secrets can be accessed under which conditions. These policies are then bound to roles, ensuring that only authorized jobs or groups can retrieve sensitive data.
• Vault Stage in CI/CD Pipeline: A dedicated Vault stage is often the first step in the CI/CD pipeline. This stage retrieves secrets from Vault and stores them as artifacts. For example, a secret like the cosign key might be saved to a file (cosign.key) or exported as an environment variable. The subsequent stages of the pipeline then rely on these securely managed secrets without exposing them in the pipeline’s code.
• Artifact Handling:  The files and environment variables created during the Vault stage are temporarily stored as artifacts. This approach ensures that secrets are available for the duration of the pipeline but are cleaned up afterward to prevent long-term exposure.

Here we show how to define a policy in Vault:

path "container/*" {

  capabilities = [ "read" ]

}

The integration of Vault with the CI/CD pipeline not only heightens security but also simplifies secret management. Instead of duplicating sensitive data in multiple places, a centralized Vault system allows for a single point of management that scales with the organization’s needs.

Bringing It All Together: A DevSecOps Approach

The holistic approach described above is not just about automating builds or deploying infrastructure—it’s about embedding security into every step of the development process. By combining containers, CI/CD pipelines, Terraform modules, and Vault, organizations can adopt a DevSecOps model where security is a fundamental part of the continuous integration and continuous deployment process.

Key Takeaways:

• Automation and Consistency: Containers and Dockerfiles enable a standardized build process that runs reliably across various environments. Automation through CI/CD pipelines further ensures that every change is rigorously tested and deployed in a consistent manner.
• Security-First Mindset: Tools like Cosign for image signing and Terraform security checks (TFSec and TFLint) help identify and mitigate vulnerabilities early in the pipeline. This proactive approach minimizes risks and enhances overall system integrity.
• Centralized Secret Management: HashiCorp Vault plays a critical role in protecting sensitive information. By integrating Vault with CI/CD pipelines, organizations can safeguard credentials and secrets, ensuring that only authorized components have access.
• Modular and Scalable Pipelines: Whether it’s a pipeline for building container images or for testing Terraform modules, the structure remains modular. This design not only promotes reusability but also allows teams to update and manage pipelines without redundancy. Pipelines can be stored in a centralized collection and referenced across multiple projects, making maintenance and scalability easier.

In today’s fast-paced development environments, where both speed and security are paramount, these practices are more than just technical details—they represent a paradigm shift in how infrastructure is built, tested, and deployed. By adopting these strategies, development teams can deliver robust, secure, and scalable applications while keeping pace with modern agile and DevOps methodologies.

Conclusion

The integration of containers, CI/CD pipelines, Terraform modules, and Vault underscores the evolving landscape of Infrastructure as Code. Containers provide the necessary consistency and portability, while CI/CD pipelines automate the arduous tasks of build, test, and deployment. Terraform modules ensure that infrastructure is defined, tested, and managed with precision. And with Vault, secret management is centralized and secured, reducing the risk of data breaches and unauthorized access.

This comprehensive setup not only accelerates the development lifecycle but also embeds security at every stage. For organizations looking to modernize their development practices and safeguard their infrastructure, these integrated approaches offer a clear path forward. By streamlining operations and fortifying security measures, companies can achieve a DevSecOps environment that meets the demands of today’s dynamic and often challenging technological landscape.

Embracing these practices will ultimately lead to more resilient systems, efficient workflows, and a greater ability to adapt to changing market conditions. Whether you’re a seasoned developer or a newcomer to the world of Infrastructure as Code, understanding and implementing these strategies is key to staying competitive and secure in an ever-evolving digital world.