Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Your Secrets in GitOps

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Rosemary Wang Rosemary Wang
May 19, 2022
Programming
1
110

Secure Your Secrets in GitOps

Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.

Avatar for Rosemary Wang

Rosemary Wang

May 19, 2022
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Build for massive scale & security with the HashiCorp Cloud Platform
Avatar for Rosemary Wang joatmon08
0
72
People, process, and technology for ILM and SLM adoption
Avatar for Rosemary Wang joatmon08
0
59
Secure Day 2 operations with Boundary and Vault
Avatar for Rosemary Wang joatmon08
0
69
Can You Test Your Infrastructure as Code?
Avatar for Rosemary Wang joatmon08
1
100
Multi-Account, Multi-Region, Multi-Runtime
Avatar for Rosemary Wang joatmon08
1
65
Building a multi-account, multi-runtime service-oriented architecture
Avatar for Rosemary Wang joatmon08
0
77
Choose Your Own Abstraction: Iterating on Developer Experience
Avatar for Rosemary Wang joatmon08
0
100
Break Glass, Repair Fast, Reconcile Automation
Avatar for Rosemary Wang joatmon08
1
75
Building a Developer Platform? Ask these questions.
Avatar for Rosemary Wang joatmon08
0
87

Other Decks in Programming

See All in Programming
AIによる高速開発をどう制御するか? ガードレール設置で開発速度と品質を両立させたチームの事例
Avatar for tonkotsuboy_com tonkotsuboy_com
7
2.2k
Automatic Grammar Agreementと Markdown Extended Attributes
について
Avatar for Kishikawa Katsumi kishikawakatsumi
0
180
なるべく楽してバックエンドに型をつけたい!(楽とは言ってない)
Avatar for HIBIKI CUBE hibiki_cube
0
140
IFSによる形状設計/デモシーンの魅力 @ 慶應大学SFC
Avatar for がむ gam0022
1
300
Implementation Patterns
Avatar for Denys Poltorak denyspoltorak
0
280
組織で育むオブザーバビリティ
Avatar for ryotaro kobayashi ryota_hnk
0
170
Package Management Learnings from Homebrew
Avatar for Mike McQuaid mikemcquaid
0
210
登壇資料を作る時に意識していること #登壇資料_findy
Avatar for konifar konifar
4
1k
AI時代の認知負荷との向き合い方
Avatar for OptFit Corp. optfit
0
150
20260127_試行錯誤の結晶を1冊に。著者が解説 先輩データサイエンティストからの指南書 / author's_commentary_ds_instructions_guide
Avatar for nash_efp nash_efp
1
940
Unicodeどうしてる? PHPから見たUnicode対応と他言語での対応についてのお伺い
Avatar for てきめん tekimen youkidearitai
PRO
1
2.5k
Amazon Bedrockを活用したRAGの品質管理パイプライン構築
Avatar for とすり tosuri13
4
270

Featured

See All Featured
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.6k
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
463
34k
Ten Tips & Tricks for a 🌱 transition
Avatar for Manu Carrasco Molina stuffmc
0
65
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
Avatar for Mfonobong Umondia mfonobong
2
280
Paper Plane (Part 1)
Avatar for Katie Cordina Lindsey katiecoart
PRO
0
4k
B2B Lead Gen: Tactics, Traps & Triumph
Avatar for Sophie Logan marketingsoph
0
53
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
13
1.1k
Heart Work Chapter 1 - Part 1
Avatar for Lake Fama lfama
PRO
5
35k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
45
8.6k
Exploring the relationship between traditional SERPs and Gen AI search
Avatar for Ray Grieselhuber raygrieselhuber
PRO
2
3.6k
A better future with KSS
Avatar for Kyle Neath kneath
240
18k
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
Avatar for David Neal reverentgeek
1
320

Transcript

  1. Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May

    19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1

  2. Works, but not ideal. Use SOPS to encrypt and store

    in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2

  3. What happens when you accidentally commit a plaintext secret? 3

  4. 1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace

    6. Re-run Plan R AKA Remediation 4

  5. Is there a better way? 5

  6. Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets

    Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6

  7. Secrets Manager + Kubernetes Use file-based secrets injection with Secrets

    Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7

  8. If you still need Kubernetes secrets… Sync as Kubernetes Secret

    with Secrets Store CSI Driver. 1 2 3 8

  9. github.com/ joatmon08/ hashicorp-vault-flux 9

  10. 1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi

    5. vaultproject.io/docs/platform/k8s/injector Resources 10

  11. Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary

    Wang @joatmon08 joatmon08.github.io 11