From Terraform to Kubernetes: creating and sharing secrets

From Terraform to Kubernetes: creating and sharing secrets

This talk goes over several ways on how to get your credentials from Terraform into your Kubernetes cluster.

3f4444967dfc7a5a2a71d24175d94c3c?s=128

Jelmer Snoeck

May 05, 2018
Tweet

Transcript

  1. From Terraform to Kubernetes Creating and Sharing secrets From Terraform

    to Kubernetes Creating and Sharing secrets
  2. $ whoami • Engineer @ Manifold • Focus on Operations

    Experience ◦ Terraform ◦ Kubernetes • Gopher since 2014 • Curator @ Kubelist Jelmer Snoeck @jelmersnoeck github.com/jelmersnoeck
  3. (yes I have stickers)

  4. $ tree • Terraform & Kubernetes • Static secrets •

    Dynamic secrets
  5. Terraform & Kubernetes

  6. None
  7. None
  8. So why this talk?

  9. Cloud Native

  10. Setup

  11. None
  12. Static Secrets

  13. None
  14. None
  15. (don’t worry, it’s already deprovisioned)

  16. None
  17. PGP / Saltpack

  18. None
  19. None
  20. None
  21. Cons - Team management is hard - add team members

    - delete team members - Remembering to re-encrypt is hard - Obscure encrypted file format - Copy paste values from Terraform
  22. git-crypt

  23. None
  24. None
  25. None
  26. None
  27. None
  28. $ git-crypt unlock

  29. None
  30. Cons - Team management is still hard - Obscure encrypted

    file format - Copy paste values from Terraform Pros - Encryption is done automatically
  31. Sealed Secrets

  32. None
  33. None
  34. None
  35. None
  36. Cons - Copy paste values from Terraform - Manually encrypt

    values - Need access to the cluster to encrypt Pros - Access is taken care of through the k8s cluster - Readable files
  37. None
  38. Dynamic Secrets

  39. Terraform Kubernetes Provider

  40. None
  41. None
  42. Cons - Setup might be tricky - Spin up k8s

    and then immediately use it - Limited to Terraform secrets Pros - Secrets are automatically injected
  43. Hashicorp Vault

  44. None
  45. None
  46. None
  47. Cons - Need to add extra setup - envconsul -

    application code Pros - Great Vault features - Custom integrations - Temporary credentials - Rotation - RBAC - Can store external credentials - Vault Operator!
  48. Manifold Credentials Controller

  49. None
  50. None
  51. None
  52. None
  53. None
  54. None
  55. Cons - No one off passwords/temporary keys Pros - Still

    using the 12factor methodology - Can connect with external services - RBAC at service level
  56. Reminders - Encryption - secrets - etcd - remote state

    - RBAC for secrets - Figure out what you need
  57. @jelmersnoeck manifold.co Thanks Questions?

  58. Resources - Manifold Credentials Controller - Manifold Terraform Provider -

    Hashicorp Vault - Hashicorp Vault Operator - Bitnami Sealed Secrets