Upgrade to Pro — share decks privately, control downloads, hide ads and more …

From Terraform to Kubernetes: creating and sharing secrets

Jelmer Snoeck
May 05, 2018
Programming
1
890

From Terraform to Kubernetes: creating and sharing secrets

This talk goes over several ways on how to get your credentials from Terraform into your Kubernetes cluster.

Jelmer Snoeck

May 05, 2018
Tweet

More Decks by Jelmer Snoeck

See All by Jelmer Snoeck
Service alerting and monitoring
jelmersnoeck
0
49
The rise of GraphQL
jelmersnoeck
0
75
Deploying Rock Solid Applications with Kubernetes
jelmersnoeck
2
160
Custom Resources for Cloud Native DevOps
jelmersnoeck
1
57
Experimental Refactoring with Go
jelmersnoeck
1
130
let's talk open source software
jelmersnoeck
0
88
The Dark Side Of Microservices
jelmersnoeck
1
150
Workflows
jelmersnoeck
0
120
Inside Darwin Analytics
jelmersnoeck
1
200

Other Decks in Programming

See All in Programming
第6回 AWSとGitHub勉強会 - AWS ECS Fargate環境の構築 -
ogiwarat
0
110
PHP8.2にバージョンアップして もっと型表現を豊かにしよう
akitotsukahara
0
150
第2回 AWSとGitHub勉強会 - CodespacesとHelidonの利用 -
ogiwarat
0
110
KustoクエリのChatGPT Plugin!
tomokusaba
0
260
Jetpack Compose の Side-effect を使いこなす / DroidKaigi 2023
star_zero
1
520
Exploring Code Smells - ElixirConf US 2023
elainenaomi
1
230
Flutterにおけるアプリ内課金実装 -Android/iOS完全なる統一 -
nacatl
1
610
A tale of two plugins: safely extending the Kubernetes Scheduler with WebAssembly
sanposhiho
0
150
GDSC NYCU 2023 茶會
rabbitmagician1
1
110
Rich UI implementation examples using Jetpack Compose (Jetpack Composeを活用した強力なUI表現の実装実例)
iimokoy
0
810
Creative coding starting with Ruby
chobishiba
1
590
Jakarta EE Guide for Spring Developers
ivargrimstad
0
330

Featured

See All Featured
The Power of CSS Pseudo Elements
geoffreycrofte
56
4.6k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
36
22k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
2.3k
Designing for Performance
lara
601
66k
Robots, Beer and Maslow
schacon
154
7.6k
Art, The Web, and Tiny UX
lynnandtonic
285
18k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
351
28k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
112
17k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.6k
Designing Experiences People Love
moore
133
22k

Transcript

  1. From Terraform to
    Kubernetes
    Creating and Sharing secrets
    From Terraform to Kubernetes
    Creating and Sharing secrets

    View Slide

  2. $ whoami
    ● Engineer @ Manifold
    ● Focus on Operations
    Experience
    ○ Terraform
    ○ Kubernetes
    ● Gopher since 2014
    ● Curator @ Kubelist
    Jelmer Snoeck
    @jelmersnoeck
    github.com/jelmersnoeck

    View Slide

  3. (yes I have stickers)

    View Slide

  4. $ tree
    ● Terraform & Kubernetes
    ● Static secrets
    ● Dynamic secrets

    View Slide

  5. Terraform &
    Kubernetes

    View Slide

  6. View Slide

  7. View Slide

  8. So why this talk?

    View Slide

  9. Cloud Native

    View Slide

  10. Setup

    View Slide

  11. View Slide

  12. Static Secrets

    View Slide

  13. View Slide

  14. View Slide

  15. (don’t worry, it’s already deprovisioned)

    View Slide

  16. View Slide

  17. PGP / Saltpack

    View Slide

  18. View Slide

  19. View Slide

  20. View Slide

  21. Cons
    - Team management is hard
    - add team members
    - delete team members
    - Remembering to re-encrypt is hard
    - Obscure encrypted file format
    - Copy paste values from Terraform

    View Slide

  22. git-crypt

    View Slide

  23. View Slide

  24. View Slide

  25. View Slide

  26. View Slide

  27. View Slide

  28. $ git-crypt unlock

    View Slide

  29. View Slide

  30. Cons
    - Team management is still hard
    - Obscure encrypted file format
    - Copy paste values from Terraform
    Pros
    - Encryption is done automatically

    View Slide

  31. Sealed Secrets

    View Slide

  32. View Slide

  33. View Slide

  34. View Slide

  35. View Slide

  36. Cons
    - Copy paste values from Terraform
    - Manually encrypt values
    - Need access to the cluster to encrypt
    Pros
    - Access is taken care of through the k8s cluster
    - Readable files

    View Slide

  37. View Slide

  38. Dynamic Secrets

    View Slide

  39. Terraform Kubernetes Provider

    View Slide

  40. View Slide

  41. View Slide

  42. Cons
    - Setup might be tricky
    - Spin up k8s and then immediately use it
    - Limited to Terraform secrets
    Pros
    - Secrets are automatically injected

    View Slide

  43. Hashicorp Vault

    View Slide

  44. View Slide

  45. View Slide

  46. View Slide

  47. Cons
    - Need to add extra setup
    - envconsul
    - application code
    Pros
    - Great Vault features
    - Custom integrations
    - Temporary credentials
    - Rotation
    - RBAC
    - Can store external credentials
    - Vault Operator!

    View Slide

  48. Manifold Credentials Controller

    View Slide

  49. View Slide

  50. View Slide

  51. View Slide

  52. View Slide

  53. View Slide

  54. View Slide

  55. Cons
    - No one off passwords/temporary keys
    Pros
    - Still using the 12factor methodology
    - Can connect with external services
    - RBAC at service level

    View Slide

  56. Reminders
    - Encryption
    - secrets
    - etcd
    - remote state
    - RBAC for secrets
    - Figure out what you need

    View Slide

  57. @jelmersnoeck
    manifold.co
    Thanks
    Questions?

    View Slide

  58. Resources
    - Manifold Credentials Controller
    - Manifold Terraform Provider
    - Hashicorp Vault
    - Hashicorp Vault Operator
    - Bitnami Sealed Secrets

    View Slide