Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Your Secrets in GitOps

Rosemary Wang
May 19, 2022
Programming
1
62

Secure Your Secrets in GitOps

Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.

Rosemary Wang

May 19, 2022
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Can You Test Your Infrastructure as Code?
joatmon08
1
11
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
12
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
9
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
13
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
24
Building a Developer Platform? Ask these questions.
joatmon08
0
10
From Cloud-Hosted to Cloud-Native
joatmon08
0
44
Refactoring Applications for Dynamic Secrets
joatmon08
1
29
Catching Commits to Secure Infrastructure as Code
joatmon08
1
39

Other Decks in Programming

See All in Programming
PHP8.3の機能を振り返る / Review of PHP 8.3 features
seike460
PRO
1
110
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
340
Ruby GitHub Packages
bkuhlmann
0
630
エンターテイメント業界で利用されるAWS
demuyan
0
210
Rubyでたのしむクリエイティブコーディング/Enjoy Creative coding with Ruby
chobishiba
1
180
코틀린으로 멀티플랫폼 만들기
pangmoo
0
150
Elm Form Validation
bkuhlmann
0
510
educure_カリキュラム生操作マニュアル.pdf
linew_official
0
740
TYPO3 v13 – The road to LTS: What's new and new APIs
luisasofie_xoxo
0
200
AWS Application Composerで始める、 サーバーレスなデータ基盤構築 / 20240406-jawsug-hokuriku-shinkansen
kasacchiful
1
260
コーンフレークから始める モデリング会話入門
ogurotakayuki
0
360
MetricKitで予期せぬ終了を検知する話 / Detect unexpected termination with MetricKit
nekowen
1
180

Featured

See All Featured
Creatively Recalculating Your Daily Design Routine
revolveconf
210
11k
GraphQLとの向き合い方2022年版
quramy
32
12k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
187
16k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Code Reviewing Like a Champion
maltzj
514
39k
Practical Orchestrator
shlominoach
182
9.7k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
125
32k
[RailsConf 2023] Rails as a piece of cake
palkan
23
3.9k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k

Transcript

  1. Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May

    19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1

  2. Works, but not ideal. Use SOPS to encrypt and store

    in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2

  3. What happens when you accidentally commit a plaintext secret? 3

  4. 1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace

    6. Re-run Plan R AKA Remediation 4

  5. Is there a better way? 5

  6. Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets

    Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6

  7. Secrets Manager + Kubernetes Use file-based secrets injection with Secrets

    Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7

  8. If you still need Kubernetes secrets… Sync as Kubernetes Secret

    with Secrets Store CSI Driver. 1 2 3 8

  9. github.com/ joatmon08/ hashicorp-vault-flux 9

  10. 1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi

    5. vaultproject.io/docs/platform/k8s/injector Resources 10

  11. Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary

    Wang @joatmon08 joatmon08.github.io 11