From Terraform to Kubernetes: creating and sharing secrets

Transcript

1. From Terraform to Kubernetes Creating and Sharing secrets From Terraform

   to Kubernetes Creating and Sharing secrets

2. $ whoami • Engineer @ Manifold • Focus on Operations

   Experience ◦ Terraform ◦ Kubernetes • Gopher since 2014 • Curator @ Kubelist Jelmer Snoeck @jelmersnoeck github.com/jelmersnoeck

3. (yes I have stickers)

4. $ tree • Terraform & Kubernetes • Static secrets •

   Dynamic secrets

5. Terraform & Kubernetes

6. None
7. None

8. So why this talk?

9. Cloud Native

10. Setup

11. None

12. Static Secrets

13. None
14. None

15. (don’t worry, it’s already deprovisioned)

16. None

17. PGP / Saltpack

18. None
19. None
20. None

21. Cons - Team management is hard - add team members

    - delete team members - Remembering to re-encrypt is hard - Obscure encrypted file format - Copy paste values from Terraform

22. git-crypt

23. None
24. None
25. None
26. None
27. None

28. $ git-crypt unlock

29. None

30. Cons - Team management is still hard - Obscure encrypted

    file format - Copy paste values from Terraform Pros - Encryption is done automatically

31. Sealed Secrets

32. None
33. None
34. None
35. None

36. Cons - Copy paste values from Terraform - Manually encrypt

    values - Need access to the cluster to encrypt Pros - Access is taken care of through the k8s cluster - Readable files
37. None

38. Dynamic Secrets

39. Terraform Kubernetes Provider

40. None
41. None

42. Cons - Setup might be tricky - Spin up k8s

    and then immediately use it - Limited to Terraform secrets Pros - Secrets are automatically injected

43. Hashicorp Vault

44. None
45. None
46. None

47. Cons - Need to add extra setup - envconsul -

    application code Pros - Great Vault features - Custom integrations - Temporary credentials - Rotation - RBAC - Can store external credentials - Vault Operator!

48. Manifold Credentials Controller

49. None
50. None
51. None
52. None
53. None
54. None

55. Cons - No one off passwords/temporary keys Pros - Still

    using the 12factor methodology - Can connect with external services - RBAC at service level

56. Reminders - Encryption - secrets - etcd - remote state

    - RBAC for secrets - Figure out what you need

57. @jelmersnoeck manifold.co Thanks Questions?

58. Resources - Manifold Credentials Controller - Manifold Terraform Provider -

    Hashicorp Vault - Hashicorp Vault Operator - Bitnami Sealed Secrets