Upgrade to Pro — share decks privately, control downloads, hide ads and more …

From Terraform to Kubernetes: creating and sharing secrets

From Terraform to Kubernetes: creating and sharing secrets

This talk goes over several ways on how to get your credentials from Terraform into your Kubernetes cluster.

Jelmer Snoeck

May 05, 2018
Tweet

More Decks by Jelmer Snoeck

Other Decks in Programming

Transcript

  1. From Terraform to
    Kubernetes
    Creating and Sharing secrets
    From Terraform to Kubernetes
    Creating and Sharing secrets

    View full-size slide

  2. $ whoami
    ● Engineer @ Manifold
    ● Focus on Operations
    Experience
    ○ Terraform
    ○ Kubernetes
    ● Gopher since 2014
    ● Curator @ Kubelist
    Jelmer Snoeck
    @jelmersnoeck
    github.com/jelmersnoeck

    View full-size slide

  3. (yes I have stickers)

    View full-size slide

  4. $ tree
    ● Terraform & Kubernetes
    ● Static secrets
    ● Dynamic secrets

    View full-size slide

  5. Terraform &
    Kubernetes

    View full-size slide

  6. So why this talk?

    View full-size slide

  7. Cloud Native

    View full-size slide

  8. Static Secrets

    View full-size slide

  9. (don’t worry, it’s already deprovisioned)

    View full-size slide

  10. PGP / Saltpack

    View full-size slide

  11. Cons
    - Team management is hard
    - add team members
    - delete team members
    - Remembering to re-encrypt is hard
    - Obscure encrypted file format
    - Copy paste values from Terraform

    View full-size slide

  12. $ git-crypt unlock

    View full-size slide

  13. Cons
    - Team management is still hard
    - Obscure encrypted file format
    - Copy paste values from Terraform
    Pros
    - Encryption is done automatically

    View full-size slide

  14. Sealed Secrets

    View full-size slide

  15. Cons
    - Copy paste values from Terraform
    - Manually encrypt values
    - Need access to the cluster to encrypt
    Pros
    - Access is taken care of through the k8s cluster
    - Readable files

    View full-size slide

  16. Dynamic Secrets

    View full-size slide

  17. Terraform Kubernetes Provider

    View full-size slide

  18. Cons
    - Setup might be tricky
    - Spin up k8s and then immediately use it
    - Limited to Terraform secrets
    Pros
    - Secrets are automatically injected

    View full-size slide

  19. Hashicorp Vault

    View full-size slide

  20. Cons
    - Need to add extra setup
    - envconsul
    - application code
    Pros
    - Great Vault features
    - Custom integrations
    - Temporary credentials
    - Rotation
    - RBAC
    - Can store external credentials
    - Vault Operator!

    View full-size slide

  21. Manifold Credentials Controller

    View full-size slide

  22. Cons
    - No one off passwords/temporary keys
    Pros
    - Still using the 12factor methodology
    - Can connect with external services
    - RBAC at service level

    View full-size slide

  23. Reminders
    - Encryption
    - secrets
    - etcd
    - remote state
    - RBAC for secrets
    - Figure out what you need

    View full-size slide

  24. @jelmersnoeck
    manifold.co
    Thanks
    Questions?

    View full-size slide

  25. Resources
    - Manifold Credentials Controller
    - Manifold Terraform Provider
    - Hashicorp Vault
    - Hashicorp Vault Operator
    - Bitnami Sealed Secrets

    View full-size slide