Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Your Secrets in GitOps

Be8b596c46f4c9a1aec6a7586af33134?s=47 Rosemary Wang
May 19, 2022
Programming
0
9

Secure Your Secrets in GitOps

Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.

Be8b596c46f4c9a1aec6a7586af33134?s=128

Rosemary Wang

May 19, 2022
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Lessons Learned from Scaling Infrastructure as Code
Be8b596c46f4c9a1aec6a7586af33134?s=48 joatmon08
0
820
Secure Together: Consul + Vault
Be8b596c46f4c9a1aec6a7586af33134?s=48 joatmon08
0
19
Let’s Secure a CI/CD Pipeline
Be8b596c46f4c9a1aec6a7586af33134?s=48 joatmon08
0
29
A Practical Introduction to Minimum Secure Products
Be8b596c46f4c9a1aec6a7586af33134?s=48 joatmon08
2
51
A Developer's Introduction to Service Mesh
Be8b596c46f4c9a1aec6a7586af33134?s=48 joatmon08
1
2k
Security vs. Delivery: Win with Dependency Inversion
Be8b596c46f4c9a1aec6a7586af33134?s=48 joatmon08
1
560
Security Tests for Security Groups, Shifted Left
Be8b596c46f4c9a1aec6a7586af33134?s=48 joatmon08
0
61
KubeCon NA 2021 Technical Demo: Consul Service Mesh with .NET and Java on Kubernetes
Be8b596c46f4c9a1aec6a7586af33134?s=48 joatmon08
0
28
Secrets Management for Development & Operations
Be8b596c46f4c9a1aec6a7586af33134?s=48 joatmon08
0
100

Other Decks in Programming

See All in Programming
実践 SpiceDB - クライドネイティブ時代をサバイブできるパーミッション管理の実装を目指して / Practical SpiceDB
B1bddcb899ec3060fe9913f3cb70dbb6?s=48 lmt_swallow
0
130
回帰分析ではlm()ではなくestimatr::lm_robust()を使おう / TokyoR100
7a0892afffbcbd35fd84d46508b3a914?s=48 dropout009
0
4.5k
Atomic Design とテストの○○な話
Fd3e212c7b5255c6164d7d52bfe79dfb?s=48 takfjp
2
800
Getting Started With Data Structures
Fbe54abf4094d19f1548783d072a7fa7?s=48 adoranwodo
1
260
WindowsコンテナDojo: 第4回 Red Hat OpenShift Localを使ってみよう
E5eb221d34d4ffbe973f8542b4c3a00e?s=48 oniak3ibm
PRO
0
180
How GitHub Supports Vim License Detection, The Five Years Journey
C4ce16f549c450f4759eb37f5d5d1a63?s=48 othree
1
350
Computer Vision Seminar 1/コンピュータビジョンセミナーvol.1 OpenCV活用
Bbf28bf908ac83e5b85b52a675641641?s=48 fixstars
0
160
段階的な技術的負債の解消方法.pdf
41e5cd2b99a8e7c84f91a8137c8be3ed?s=48 ko2ic
2
910
ちょっとつよい足トラ
6a661bb5871208cad64912223bb0c637?s=48 logilabo
0
380
2022年のモダンCSS改
Ffb0af5bf5cb5a0b728ed94418a096f5?s=48 tonkotsuboy_com
24
16k
それ全部エラーメッセージに書いてあるよ!〜独学でPHPプログラミングが上達するたった一つの方法〜
B793da271a45d149b52f507bca9f137c?s=48 77web
1
150
RustのWebフレームワーク周りの概観
E42cffccdc14c60a449caac8de0ce0e0?s=48 hayao
0
180

Featured

See All Featured
Writing Fast Ruby
1f74b13f1e5c6c69cb5d7fbaabb1e2cb?s=48 sferik
612
57k
Building Better People: How to give real-time feedback that sticks.
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
344
17k
The Mythical Team-Month
E6c6e133e74c3b83f04d2861deaa1c20?s=48 searls
210
39k
YesSQL, Process and Tooling at Scale
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
157
12k
Adopting Sorbet at Scale
2bb923c57a1fdc3a2eb484bb8d565fd2?s=48 ufuk
63
7.6k
Designing on Purpose - Digital PM Summit 2013
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
106
5.7k
Web Components: a chance to create the future
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
303
40k
StorybookのUI Testing Handbookを読んだ
50fc0fdc2327ecbe7350645812de52e3?s=48 zakiyama
6
2.5k
Building a Scalable Design System with Sketch
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
448
30k
Unsuck your backbone
B83d5b590577969ee79a5ad845411a7d?s=48 ammeep
659
55k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Fd55de4174accaf3b4f030e43a8a70c6?s=48 marcduiker
6
560
What's in a price? How to price your products and services
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
229
9.4k

Transcript

  1. Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May

    19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1

  2. Works, but not ideal. Use SOPS to encrypt and store

    in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2

  3. What happens when you accidentally commit a plaintext secret? 3

  4. 1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace

    6. Re-run Plan R AKA Remediation 4

  5. Is there a better way? 5

  6. Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets

    Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6

  7. Secrets Manager + Kubernetes Use file-based secrets injection with Secrets

    Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7

  8. If you still need Kubernetes secrets… Sync as Kubernetes Secret

    with Secrets Store CSI Driver. 1 2 3 8

  9. github.com/ joatmon08/ hashicorp-vault-flux 9

  10. 1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi

    5. vaultproject.io/docs/platform/k8s/injector Resources 10

  11. Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary

    Wang @joatmon08 joatmon08.github.io 11