Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure Your Secrets in GitOps
Search
Rosemary Wang
May 19, 2022
Programming
1
100
Secure Your Secrets in GitOps
Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.
Rosemary Wang
May 19, 2022
Tweet
Share
More Decks by Rosemary Wang
See All by Rosemary Wang
Build for massive scale & security with the HashiCorp Cloud Platform
joatmon08
0
37
People, process, and technology for ILM and SLM adoption
joatmon08
0
22
Secure Day 2 operations with Boundary and Vault
joatmon08
0
50
Can You Test Your Infrastructure as Code?
joatmon08
1
90
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
49
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
65
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
62
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
55
Building a Developer Platform? Ask these questions.
joatmon08
0
67
Other Decks in Programming
See All in Programming
Bytecode Manipulation 으로 생산성 높이기
bigstark
2
360
なぜ適用するか、移行して理解するClean Architecture 〜構造を超えて設計を継承する〜 / Why Apply, Migrate and Understand Clean Architecture - Inherit Design Beyond Structure
seike460
PRO
1
300
deno-redisの紹介とJSRパッケージの運用について (toranoana.deno #21)
uki00a
0
130
Composerが「依存解決」のためにどんな工夫をしているか #phpcon
o0h
PRO
1
130
今ならAmazon ECSのサービス間通信をどう選ぶか / Selection of ECS Interservice Communication 2025
tkikuc
12
2.9k
Blazing Fast UI Development with Compose Hot Reload (droidcon New York 2025)
zsmb
1
130
イベントストーミングから始めるドメイン駆動設計
jgeem
4
870
カクヨムAndroidアプリのリブート
numeroanddev
0
430
Perplexity Slack Botを作ってAI活用を進めた話 / AI Engineering Summit プレイベント
n3xem
0
670
C++20 射影変換
faithandbrave
0
500
XP, Testing and ninja testing
m_seki
2
140
Datadog RUM 本番導入までの道
shinter61
1
310
Featured
See All Featured
Agile that works and the tools we love
rasmusluckow
329
21k
Done Done
chrislema
184
16k
BBQ
matthewcrist
89
9.7k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
VelocityConf: Rendering Performance Case Studies
addyosmani
330
24k
Why Our Code Smells
bkeepers
PRO
337
57k
Reflections from 52 weeks, 52 projects
jeffersonlam
351
20k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.7k
The Cult of Friendly URLs
andyhume
79
6.4k
The Invisible Side of Design
smashingmag
299
51k
The World Runs on Bad Software
bkeepers
PRO
69
11k
Transcript
Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May
19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1
Works, but not ideal. Use SOPS to encrypt and store
in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2
What happens when you accidentally commit a plaintext secret? 3
1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace
6. Re-run Plan R AKA Remediation 4
Is there a better way? 5
Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets
Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6
Secrets Manager + Kubernetes Use file-based secrets injection with Secrets
Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7
If you still need Kubernetes secrets… Sync as Kubernetes Secret
with Secrets Store CSI Driver. 1 2 3 8
github.com/ joatmon08/ hashicorp-vault-flux 9
1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi
5. vaultproject.io/docs/platform/k8s/injector Resources 10
Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary
Wang @joatmon08 joatmon08.github.io 11