 Hi everyone and welcome to the February 2021 edition of the CNCF end user technology radar. I'm really excited to be here with our radar team to share with you the results from the CNCF end user community. So, here we go. A little bit about me. My name is Cheryl. I'm the VP of Ecosystem at CNCF. And my mission is to really help end users be successful as they're adopting Kubernetes, Prometheus, Envoy and all of the other open source cloud native tools. You can find me at my blog or at my blog oysherald.com or on Twitter at Oysherald. The CNCF end user community is a group of more than 140 companies spanning some of the smallest, most innovative startups all the way up to the biggest global household names. And these are the companies that are using cloud native technologies to deliver their applications and services. So without further ado, let's go into the technology radar. First of all, let me please introduce the February 2021 radar team. First off, I have Steve. Hi Steve. Hi. So I'll introduce myself briefly. I'm a site reliability engineer at RStudio. At RStudio we're looking to, we're building out a cloud IDE platform for data scientists. And we're obviously doing so with as many cloud native technologies as possible. I'm looking to add more all the time. Nice. Good stuff. And we have Andrea. Please introduce yourself. Hello everyone. My name is Andrea. I'm an engineer and co founder at Outkeys. Outkeys is a company that is offering authorization as a service in the cloud. I used to be an embedded engineer for more than a decade. And then Outkeys was my opportunity to turn into cloud native aware technologies. At Outkeys, we really consider cloud native technologies as the future. That's the reason why we joined CNCF as an user. And that's one of the reasons why I'm here participating at this radar team. Fantastic. And we have two more who were part of the radar team, but unfortunately couldn't join the recording for today. So I want to thank them for their input and their hard work on compiling this radar. So first of all, the topic was secrets management. Andrea, why did you choose secrets management for the topic? And tell me a little bit about what is secrets management. Okay. When we started with this radar team task, we had to choose a topic. Many, many of them were quite interesting, but we ended up choosing a secrets management, especially because, yeah, from my point of view and from my company point of view, security is a focus in our business. We're basically selling authorization in the cloud. So we have to orchestrate a lot of services. Many of them are exposed. And whenever you have to coordinate all these services, you need to deal with how each of them authenticate with each other. So secrets are at the base of this, of this mechanisms, and as soon as a company needs to automate its operation process, it needs to deal with how to store secrets. So secrets management is basically the set of techniques that are used for keeping those secrets safe, usually by storing them somehow encrypted somewhere. Yeah, we choose to focus our radar on this topic because it's not that easy as it can appear at first glance. So that's basically why we had this decision to focus on secrets management for the radar, for this month's radar. Steve, anything you want to add? I don't think so, I think he did a great job. Okay, awesome. All right, so a reminder for what this technology radar looks like. So the goal of the technology radar was to survey the end user community and ask the people as a community, what do you currently use and recommend internally for your own company. And there are three main options. So adopt, meaning we clearly recommend it, we've run it, we've used it for a long time and it's pretty stable, pretty mature. Trial, meaning we've used it with some success. So if you have a need for this, then you should be looking at this tool. Or assess, meaning we've tried it out, we think it's promising. Maybe it doesn't cover every use case or maybe it's not quite mature yet. But you should consider it anyway. And then there was a fourth option that people could choose which was hold, hold meaning we don't use this solution anymore. We recommend something else. And then the goal is to look across all of the companies in the end user community and put those tools into one of these three categories. So this time let me start with Steve. When you went into this what did you expect. Sure. So I, I think my expectations were potentially a little naive in that I, in looking at the space of secrets management, I mainly expected organizations to be using the offerings by the public cloud that they were already in. It's obviously a much easier, much easier choice to adopt just essentially a separate set of APIs from the same public cloud that you're already using if you are embedded in a public cloud if you're using a single public cloud it's kind of an easy choice, or at least in my view. It seems like a very easy choice to just adopt it. You know, a new small piece, a new small service that is that is offered by those clouds. Is that what you're doing our studio. And in some way shape or form yes, that's at least one of the ways that we that we manage secrets definitely is as a small team that's kind of an easy pickup to just use an additional service from a public cloud and to build out our own in-house tool or adopt an additional tool that we have to run, take care of, maintain. Andrea what about you, what did you expect. Speaking for myself, I really expected a lot of fragmentation in this kind of survey. This is probably coming from a light survey that we and the light investigation that we did in the past for for our company on the topic. So I'm not really surprised that we had very spread answers and many, many tools or frameworks that have been named by the people participating to the radar. The expectation was that in in this very fragmented landscape, we could have found anyway some direction. And that that's what we ended up with. We will see later. Yeah. Okay, so our next step was to survey those the end user community and ask them what were they using for secrets management. We actually had a lot more answers, a lot more solutions than this as Andrea you were saying there were a lot there were a lot of different frameworks here. We ended up I think cutting off here because we felt like there wasn't enough data to really justify kind of making a decision on it. And also if I remember correctly, AWS was originally split into a couple of different options right. So, Andrea or Steve, do you want to talk about why we ended up collapsing those. So I think that we were partially motivated to collapse AWS. There were definitely more of AWS is discrete secrets like services and we collapse them in part because AWS has made the choice to make each piece of secret management, a separate service in their in their public cloud offering and it definitely skewed the results. Since there was huge numbers of adoption, simply by virtue of it, not anyone service handles each of the, each of the parts of secrets management that a typical organization may want to use. So we had a lot of results where a single company was using all of the AWS secrets services and ended up kind of skewing the vote count towards their offerings. Yeah, that's right so we did collapse them just so that this wouldn't end up being you know five or six different AWS tools right. And Steve from the votes here same as we saw on the last slide green means adopts the blue is kind of trial yellow as assess and then gray as hard. So these are the results that we got from the end user community, and then our next step was to basically decide from these tools, which ones did we think overall the community would have recommended as adopts or trial and assess. This is where we ended up landing. So, Steve wonder, do you want to comment on this. More than commenting on how this happened to be distinguished between adopting trial with which was kind of a discussion in terms of number of votes to to consider for for the different categories. There's a point that is, is not possible to see from this table. There's a solution that in reality is probably in a terogeneous set of solutions, which is everything on grown. There were some some meaningful votes in the poll, which we're referring to in our solution for secrets management. We choose not to represent them in this final result table, because they are definitely a solution which are quite different from each other so we, we ended up after a discussion between the team that it was necessary to to investigate farther if we wanted to expose which which of these technologies were kind of interesting for for others potentially when you when you have to do when you can when you face all made solution it's usually something that is very difficult to to use for others because they're very usually tailored to to specific situation. That's something I wanted to point out because it's not in the table but it was something that came out from the poll anyway so I can definitely add to that I think, as we've kind of alluded to a handful of times there was a really long tail of tools that were used here and that were reported as being in use. And so while it's pretty obvious from the votes which which of these tools made sense as adopt the the remaining tools that's where there was a little there was a little less obviousness out of them. And because that the tail was so long and there were so many votes spread across so many different solutions that that there we kind of had to use a bit of judgment, going down and where to really stop in this list. Okay, great stuff. Okay. This is what the final radar looks like. So in the adopt section we had Hashi court vote AWS secrets manager certificate manager, and AWS KMS. In trial, we had bit Nami sealed secrets and encrypted repositories and in assess we ended up with gcp secrets management and sops. Next up, I wanted to ask the radar team from looking at the data that people submitted and from your own experience and what you were expecting going into this. What did you find surprising or interesting or noteworthy themes to point out. So Steve and Andrea and the team put together for themes for us and I'd like us to talk a little bit about those now. So the theme is vault and the theme is that vault has the broadest adoption across many companies and many industries. So Steve, why don't you start. So, I can, I can say myself and a handful of the radar members were were very surprised at the fact that there was such widespread adoption of vault. Not because it's not an extremely useful tool but simply because it has a pretty high cost of entry. It's, it's operational burden is, is generally much larger than some of the other, some of the other tools on this list. And so we were, I personally was pretty, pretty confused to see this. But then when we start when we once we started talking a little bit deeper about it we started realizing that, you know, this makes this actually makes a lot of sense. I think it is, it has an extremely strong showing because it does a lot of what the other tools do but in a cloud agnostic way, if organization if organizations are split across multiple cloud providers. If they have large footprints in multiple clouds or on prem vault is a is a pretty is a pretty great tool in order to, in order to solve that problem because it's comprehensive, and it doesn't require any more vendor lock in, in a particular public cloud, obviously, being able to be used on prem, you know, across multiple cloud offerings without having to change tactics. We also, we also kind of came through with this idea that this broader adoption really kind of makes sense when you put it in the context of offering it as an alternative to an in house solution, rather than everyone going off and doing their own secrets management tool vault is a great tool for that is very comprehensive and is able to kind of allow people to to simply adopt it, and it's set of requirements and rather than having to go off and write a write a solution for each new secret problem that they have so that can definitely to a higher adoption rate and screen. Cool. Okay, in that case let's go on to the second theme. Andrea, I'd like you to comment about this one. So after vault organizations tended to use the native solutions from their public cloud provider. Yeah, as Steve already pointed out before this. This was something that we expected when we choose the, the topic for for the radar. I tried to reason a little bit around the motivation for this. And, of course, we, we ended up considering that the cloud, the cloud providers native solutions are usually the closest to to the user so they're the definitely one of the first choices if they end up being covering the needs that the user has they are probably the faster to to bring up. So this is something expected. We also took some time to discuss about these results in term of the potential lock in effect that it can. It can have on on a company decision, which of course is already the choice of cloud provider. Yeah, so probably we ended up saying that there are two different type of organization, those that are split across different cloud providers already considered the locking problem in depth and they probably ended up choosing an agnostic tool for for for the secret for the secret management needs smaller companies which are at their first cloud native experiences are more likely to stick with the solution provided by by their their their cloud providers. That's what we we we put into evidence. And what do you do at off keys because off keys is pretty small right. Yeah, that's pretty small. We are sticking with the solution that are kind of naive in this in this in this scenario because the team is very small. So, secret security is is mostly managed by encrypted repositories encrypted that data within repositories. We are not yet concerned about sharing the content of repositories across teams. So, we are good enough for now, but of course we are looking at more structure solution for the future because the problem will come up as soon as the team grows and we have the need to give different visibility to to to secrets to different different teams so it's something we are working on so the radar is definitely a good opportunity to to figure out what what others that are bigger than us already went through. Cool, thank you. Okay, yeah, let's talk about certificate manager because this one is perhaps a little bit different. Steve, what do you think about certificate manager becoming popular. On this radar we noticed it popping up popping up a lot and it was definitely surprising because it's relatively new and it, it's not a general purpose tool, or, and it doesn't have like a general purpose solution for many different secret aspects. But it is one of the things that we kind of that we kind of returned from this is that because it has really tight integration with Kubernetes. It can not only be seen as an easy quick pickup for those who are already using Kubernetes when it comes to managing certificates. But, but also that it kind of leads us to believe that certificate management is a really high concern it's top of mind for those who are adopting Kubernetes and so that certificate manager kind of comes along in, even though it is relatively new because it's because it solves a specific problem in a simple way. For those that are using Kubernetes it's a it's a it's a really, it was a really rapid and easy choice for that ecosystem. Okay, let's go to our fourth theme. Other solutions in the space are fragmented across various levels of maturity and complexity. Andrea, over to you. Yep. Yeah, as mentioned, as mentioned before we, we ended up with very spread data from the pool. And this, this was in part expected at least from my point of view. But we also consider it that some of the solution appear to be a different level of maturity complexities of course another aspect that is probably responsible for some company to to steer towards some solution instead of others. So what we ended up resuming on this on this aspect is that there is probably not not already a best practice for managing secrets. This is probably something that can come up in the future because secrets management is not rocket science. It's basically encryption and good practice in workflows. So it's probably something that is in my opinion and I guess all the radar team also said something like this, it's going to converge into more concrete best practices for the future so it's an ongoing process and it's probably something that is, it's not steady at the moment. Okay, yeah thank you for that. Steve or Andrea. Any other thoughts, comments, takeaways that you want to make on your radar. I think so I think that's covered. I think we have been exhausted. And then just one final questions you so how did you actually find the experience of creating this radar. I let Steve answer first. I enjoyed it. I thought it was, it was an interesting process to go through. It's, it's interesting to see that amongst CNCF community members. There is an inherent goal not to reinvent the wheel and taking through that kind of getting a chance to participate in the radar and see that a lot of a lot of different organizations have a lot of different sizes are are implementing solutions around the topic in the same fashion or in a handful of the same fashions is really promising and and being able to participate in this kind of and perpetuate that notion of not having to reinvent the wheel because there are some, some tools that are ready and able to be adopted by by organizations looking to solve the same problems this has been really great. And sharing Steve's thinking. And I couldn't have said it better. I'm glad that I'm very thankful, thankful to CNCF for the opportunity to participate in this in this task in this radar in task it was very enjoyable to create a small team in a short time and yeah being able to to to share our experience and and at the same time to be working on this data and and figuring out what the main threads were and and the main themes that came out from from the survey so really great experience and I'm very happy to to be part of it. Steve and Andrea and the other two members of our radar team. I really want to thank you for your time and and putting your thoughts and effort into this it's been really fun to work with both of you. So I really appreciate it. Thank you. Last but not least, if you want to check out previous editions of the radar you can go to radar dot CNCF dot IO. So far we've had three editions on database storage observability and continuous delivery. So please go and check those out. And then if you want to get involved. We want to really reflect what people care about what the wider community is thinking about. So if you want to help decide what the next topic for the next radar will be you can go to CNCF dot IO slash tech dash radar. This is just a GitHub issue where you can put in something that you're interested in you can vote up and down and the next radar team will take a look at that to see what people are interested in hearing about. Please, if you also come and join the end user community if you are currently using cloud native, you can contribute towards the future radars you can come and be part of the radar team. So just check it out CNCF dot IO slash end user. And then last but not least, I'm always looking for ways to make this more valuable and usable and easy to understand. So if you have any feedback about how we're producing the radars or anything you'd love to see more of a bit less of just send an email to info at CNCF dot IO. So that is the end of this edition of the radar so once again Steve and Andrea. It's been a pleasure to have you on and talk to you today. So thank you so much. Thank you for your time with mine. Thank you Sherry for for managing this team and helping out with with making it so so nicely working and to I say bye bye to everyone and stay tuned for the next radars. I echo all of that. Thank you so much.