Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure Your Secrets in GitOps
Search
Rosemary Wang
May 19, 2022
Programming
1
90
Secure Your Secrets in GitOps
Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.
Rosemary Wang
May 19, 2022
Tweet
Share
More Decks by Rosemary Wang
See All by Rosemary Wang
Build for massive scale & security with the HashiCorp Cloud Platform
joatmon08
0
20
People, process, and technology for ILM and SLM adoption
joatmon08
0
11
Secure Day 2 operations with Boundary and Vault
joatmon08
0
33
Can You Test Your Infrastructure as Code?
joatmon08
1
65
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
37
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
46
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
49
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
46
Building a Developer Platform? Ask these questions.
joatmon08
0
45
Other Decks in Programming
See All in Programming
Jakarta EE meets AI
ivargrimstad
0
330
もう少しテストを書きたいんじゃ〜 #phpstudy
o0h
PRO
17
3.9k
ナレッジイネイブリングにAIを活用してみる ゆるSRE勉強会 #9
nealle
0
160
Formの複雑さに立ち向かう
bmthd
1
930
2025.2.14_Developers Summit 2025_登壇資料
0101unite
0
190
DRFを少しずつ オニオンアーキテクチャに寄せていく DjangoCongress JP 2025
nealle
2
270
Ça bouge du côté des animations CSS !
goetter
2
150
一休.com のログイン体験を支える技術 〜Web Components x Vue.js 活用事例と最適化について〜
atsumim
0
950
クリーンアーキテクチャから見る依存の向きの大切さ
shimabox
5
1k
お前もAI鬼にならないか?👹Bolt & Cursor & Supabase & Vercelで人間をやめるぞ、ジョジョー!👺
taishiyade
7
4.2k
なぜイベント駆動が必要なのか - CQRS/ESで解く複雑系システムの課題 -
j5ik2o
14
4.6k
Rubyと自由とAIと
yotii23
6
1.7k
Featured
See All Featured
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
133
33k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.2k
A Tale of Four Properties
chriscoyier
158
23k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.1k
Java REST API Framework Comparison - PWX 2021
mraible
29
8.4k
Site-Speed That Sticks
csswizardry
4
410
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
YesSQL, Process and Tooling at Scale
rocio
172
14k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
4
430
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Statistics for Hackers
jakevdp
797
220k
Transcript
Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May
19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1
Works, but not ideal. Use SOPS to encrypt and store
in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2
What happens when you accidentally commit a plaintext secret? 3
1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace
6. Re-run Plan R AKA Remediation 4
Is there a better way? 5
Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets
Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6
Secrets Manager + Kubernetes Use file-based secrets injection with Secrets
Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7
If you still need Kubernetes secrets… Sync as Kubernetes Secret
with Secrets Store CSI Driver. 1 2 3 8
github.com/ joatmon08/ hashicorp-vault-flux 9
1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi
5. vaultproject.io/docs/platform/k8s/injector Resources 10
Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary
Wang @joatmon08 joatmon08.github.io 11