Upgrade to Pro — share decks privately, control downloads, hide ads and more …

From Terraform to Kubernetes: creating and sharing secrets

From Terraform to Kubernetes: creating and sharing secrets

This talk goes over several ways on how to get your credentials from Terraform into your Kubernetes cluster.

Jelmer Snoeck

May 05, 2018
Tweet

More Decks by Jelmer Snoeck

Other Decks in Programming

Transcript

  1. From Terraform to
    Kubernetes
    Creating and Sharing secrets
    From Terraform to Kubernetes
    Creating and Sharing secrets

    View Slide

  2. $ whoami
    ● Engineer @ Manifold
    ● Focus on Operations
    Experience
    ○ Terraform
    ○ Kubernetes
    ● Gopher since 2014
    ● Curator @ Kubelist
    Jelmer Snoeck
    @jelmersnoeck
    github.com/jelmersnoeck

    View Slide

  3. (yes I have stickers)

    View Slide

  4. $ tree
    ● Terraform & Kubernetes
    ● Static secrets
    ● Dynamic secrets

    View Slide

  5. Terraform &
    Kubernetes

    View Slide

  6. View Slide

  7. View Slide

  8. So why this talk?

    View Slide

  9. Cloud Native

    View Slide

  10. Setup

    View Slide

  11. View Slide

  12. Static Secrets

    View Slide

  13. View Slide

  14. View Slide

  15. (don’t worry, it’s already deprovisioned)

    View Slide

  16. View Slide

  17. PGP / Saltpack

    View Slide

  18. View Slide

  19. View Slide

  20. View Slide

  21. Cons
    - Team management is hard
    - add team members
    - delete team members
    - Remembering to re-encrypt is hard
    - Obscure encrypted file format
    - Copy paste values from Terraform

    View Slide

  22. git-crypt

    View Slide

  23. View Slide

  24. View Slide

  25. View Slide

  26. View Slide

  27. View Slide

  28. $ git-crypt unlock

    View Slide

  29. View Slide

  30. Cons
    - Team management is still hard
    - Obscure encrypted file format
    - Copy paste values from Terraform
    Pros
    - Encryption is done automatically

    View Slide

  31. Sealed Secrets

    View Slide

  32. View Slide

  33. View Slide

  34. View Slide

  35. View Slide

  36. Cons
    - Copy paste values from Terraform
    - Manually encrypt values
    - Need access to the cluster to encrypt
    Pros
    - Access is taken care of through the k8s cluster
    - Readable files

    View Slide

  37. View Slide

  38. Dynamic Secrets

    View Slide

  39. Terraform Kubernetes Provider

    View Slide

  40. View Slide

  41. View Slide

  42. Cons
    - Setup might be tricky
    - Spin up k8s and then immediately use it
    - Limited to Terraform secrets
    Pros
    - Secrets are automatically injected

    View Slide

  43. Hashicorp Vault

    View Slide

  44. View Slide

  45. View Slide

  46. View Slide

  47. Cons
    - Need to add extra setup
    - envconsul
    - application code
    Pros
    - Great Vault features
    - Custom integrations
    - Temporary credentials
    - Rotation
    - RBAC
    - Can store external credentials
    - Vault Operator!

    View Slide

  48. Manifold Credentials Controller

    View Slide

  49. View Slide

  50. View Slide

  51. View Slide

  52. View Slide

  53. View Slide

  54. View Slide

  55. Cons
    - No one off passwords/temporary keys
    Pros
    - Still using the 12factor methodology
    - Can connect with external services
    - RBAC at service level

    View Slide

  56. Reminders
    - Encryption
    - secrets
    - etcd
    - remote state
    - RBAC for secrets
    - Figure out what you need

    View Slide

  57. @jelmersnoeck
    manifold.co
    Thanks
    Questions?

    View Slide

  58. Resources
    - Manifold Credentials Controller
    - Manifold Terraform Provider
    - Hashicorp Vault
    - Hashicorp Vault Operator
    - Bitnami Sealed Secrets

    View Slide