Upgrade to Pro — share decks privately, control downloads, hide ads and more …

From Terraform to Kubernetes: creating and shar...

Jelmer Snoeck
May 05, 2018
Programming
1
950

From Terraform to Kubernetes: creating and sharing secrets

This talk goes over several ways on how to get your credentials from Terraform into your Kubernetes cluster.

Jelmer Snoeck

May 05, 2018
Tweet

More Decks by Jelmer Snoeck

See All by Jelmer Snoeck
Service alerting and monitoring
jelmersnoeck
0
97
The rise of GraphQL
jelmersnoeck
0
82
Deploying Rock Solid Applications with Kubernetes
jelmersnoeck
2
170
Custom Resources for Cloud Native DevOps
jelmersnoeck
1
78
Experimental Refactoring with Go
jelmersnoeck
1
140
let's talk open source software
jelmersnoeck
0
92
The Dark Side Of Microservices
jelmersnoeck
1
170
Workflows
jelmersnoeck
0
130
Inside Darwin Analytics
jelmersnoeck
1
280

Other Decks in Programming

See All in Programming
Remix on Hono on Cloudflare Workers
yusukebe
1
310
最新TCAキャッチアップ
0si43
0
200
Click-free releases & the making of a CLI app
oheyadam
2
120
Why Jakarta EE Matters to Spring - and Vice Versa
ivargrimstad
0
1.2k
TypeScriptでライブラリとの依存を限定的にする方法
tutinoko
3
710
ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる
tkikuc
2
260
Pinia Colada が実現するスマートな非同期処理
naokihaba
4
230
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
3
1.2k
Jakarta EE meets AI
ivargrimstad
0
740
PHP でアセンブリ言語のように書く技術
memory1994
PRO
1
170
C++でシェーダを書く
fadis
6
4.1k
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
110

Featured

See All Featured
Code Reviewing Like a Champion
maltzj
520
39k
Statistics for Hackers
jakevdp
796
220k
Six Lessons from altMBA
skipperchong
27
3.5k
Side Projects
sachag
452
42k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
It's Worth the Effort
3n
183
27k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
380
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
A Philosophy of Restraint
colly
203
16k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k

Transcript

  1. From Terraform to Kubernetes Creating and Sharing secrets From Terraform

    to Kubernetes Creating and Sharing secrets

  2. $ whoami • Engineer @ Manifold • Focus on Operations

    Experience ◦ Terraform ◦ Kubernetes • Gopher since 2014 • Curator @ Kubelist Jelmer Snoeck @jelmersnoeck github.com/jelmersnoeck

  3. (yes I have stickers)

  4. $ tree • Terraform & Kubernetes • Static secrets •

    Dynamic secrets

  5. Terraform & Kubernetes

  6. None
  7. None

  8. So why this talk?

  9. Cloud Native

  10. Setup

  11. None

  12. Static Secrets

  13. None
  14. None

  15. (don’t worry, it’s already deprovisioned)

  16. None

  17. PGP / Saltpack

  18. None
  19. None
  20. None

  21. Cons - Team management is hard - add team members

    - delete team members - Remembering to re-encrypt is hard - Obscure encrypted file format - Copy paste values from Terraform

  22. git-crypt

  23. None
  24. None
  25. None
  26. None
  27. None

  28. $ git-crypt unlock

  29. None

  30. Cons - Team management is still hard - Obscure encrypted

    file format - Copy paste values from Terraform Pros - Encryption is done automatically

  31. Sealed Secrets

  32. None
  33. None
  34. None
  35. None

  36. Cons - Copy paste values from Terraform - Manually encrypt

    values - Need access to the cluster to encrypt Pros - Access is taken care of through the k8s cluster - Readable files
  37. None

  38. Dynamic Secrets

  39. Terraform Kubernetes Provider

  40. None
  41. None

  42. Cons - Setup might be tricky - Spin up k8s

    and then immediately use it - Limited to Terraform secrets Pros - Secrets are automatically injected

  43. Hashicorp Vault

  44. None
  45. None
  46. None

  47. Cons - Need to add extra setup - envconsul -

    application code Pros - Great Vault features - Custom integrations - Temporary credentials - Rotation - RBAC - Can store external credentials - Vault Operator!

  48. Manifold Credentials Controller

  49. None
  50. None
  51. None
  52. None
  53. None
  54. None

  55. Cons - No one off passwords/temporary keys Pros - Still

    using the 12factor methodology - Can connect with external services - RBAC at service level

  56. Reminders - Encryption - secrets - etcd - remote state

    - RBAC for secrets - Figure out what you need

  57. @jelmersnoeck manifold.co Thanks Questions?

  58. Resources - Manifold Credentials Controller - Manifold Terraform Provider -

    Hashicorp Vault - Hashicorp Vault Operator - Bitnami Sealed Secrets