Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Your Secrets in GitOps

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Rosemary Wang Rosemary Wang
May 19, 2022
Programming
1
120

Secure Your Secrets in GitOps

Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.

Avatar for Rosemary Wang

Rosemary Wang

May 19, 2022
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Build for massive scale & security with the HashiCorp Cloud Platform
Avatar for Rosemary Wang joatmon08
0
79
People, process, and technology for ILM and SLM adoption
Avatar for Rosemary Wang joatmon08
0
65
Secure Day 2 operations with Boundary and Vault
Avatar for Rosemary Wang joatmon08
0
75
Can You Test Your Infrastructure as Code?
Avatar for Rosemary Wang joatmon08
1
110
Multi-Account, Multi-Region, Multi-Runtime
Avatar for Rosemary Wang joatmon08
1
74
Building a multi-account, multi-runtime service-oriented architecture
Avatar for Rosemary Wang joatmon08
0
79
Choose Your Own Abstraction: Iterating on Developer Experience
Avatar for Rosemary Wang joatmon08
0
110
Break Glass, Repair Fast, Reconcile Automation
Avatar for Rosemary Wang joatmon08
1
82
Building a Developer Platform? Ask these questions.
Avatar for Rosemary Wang joatmon08
0
93

Other Decks in Programming

See All in Programming
猫の手も借りたい!ので AIエージェント猫を作って社内に放した話 Claude Code × Container Lambda の Slack Bot "DevNeko"
Avatar for naramomi7 naramomi7
0
260
What Spring Developers Should Know About Jakarta EE
Avatar for ivargrimstad ivargrimstad
0
330
社内規程RAGの精度を73.3% → 100%に改善した話
Avatar for oharu121 oharu121
13
8.1k
AI時代のソフトウェア開発でも「人が仕様を書く」から始めよう-医療IT現場での実践とこれから
Avatar for kouki.miura koukimiura
0
150
メタプログラミングで実現する「コードを仕様にする」仕組み/nikkei-tech-talk43
Avatar for 日本経済新聞社 エンジニア採用事務局 nikkei_engineer_recruiting
0
190
PostgreSQL を使った快適な go test 環境を求めて
Avatar for Kotaro Otaka otakakot
0
550
API Platformを活用したPHPによる本格的なWeb API開発 / api-platform-book-intro
Avatar for Takashi Kanemoto ttskch
1
140
AIに任せる範囲を安全に広げるためにやっていること
Avatar for Masashi Fukuzawa fukucheee
0
130
守る「だけ」の優しいEMを抜けて、 事業とチームを両方見る視点を身につけた話
Avatar for Mitsui maroon8021
3
960
Fundamentals of Software Engineering In the Age of AI
Avatar for Dan Vega therealdanvega
1
260
Unity6.3 AudioUpdate
Avatar for Cova8bitdots cova8bitdots
0
130
ポーリング処理廃止によるイベント駆動アーキテクチャへの移行
Avatar for Seitaro Fujigaki seitarof
3
1.1k

Featured

See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
38
2.8k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
239
140k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
46
8.1k
What the history of the web can teach us about the future of AI
Avatar for Ines Montani inesmontani
PRO
1
470
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
21
1.4k
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
Avatar for David Carrasco davidcarrasco
3
74
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
3k
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
191
11k
Neural Spatial Audio Processing for Sound Field Analysis and Control
Avatar for NII S. Koyama's Lab skoyamalab
0
220
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
59
6.4k
The Art of Programming - Codeland 2020
Avatar for Erika Heidi erikaheidi
57
14k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
52
5.9k

Transcript

  1. Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May

    19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1

  2. Works, but not ideal. Use SOPS to encrypt and store

    in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2

  3. What happens when you accidentally commit a plaintext secret? 3

  4. 1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace

    6. Re-run Plan R AKA Remediation 4

  5. Is there a better way? 5

  6. Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets

    Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6

  7. Secrets Manager + Kubernetes Use file-based secrets injection with Secrets

    Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7

  8. If you still need Kubernetes secrets… Sync as Kubernetes Secret

    with Secrets Store CSI Driver. 1 2 3 8

  9. github.com/ joatmon08/ hashicorp-vault-flux 9

  10. 1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi

    5. vaultproject.io/docs/platform/k8s/injector Resources 10

  11. Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary

    Wang @joatmon08 joatmon08.github.io 11