Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure Your Secrets in GitOps
Search
Rosemary Wang
May 19, 2022
Programming
1
110
Secure Your Secrets in GitOps
Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.
Rosemary Wang
May 19, 2022
Tweet
Share
More Decks by Rosemary Wang
See All by Rosemary Wang
Build for massive scale & security with the HashiCorp Cloud Platform
joatmon08
0
46
People, process, and technology for ILM and SLM adoption
joatmon08
0
37
Secure Day 2 operations with Boundary and Vault
joatmon08
0
51
Can You Test Your Infrastructure as Code?
joatmon08
1
98
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
50
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
68
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
73
Break Glass, Repair Fast, Reconcile Automation
joatmon08
1
61
Building a Developer Platform? Ask these questions.
joatmon08
0
73
Other Decks in Programming
See All in Programming
速いWebフレームワークを作る
yusukebe
5
1.7k
ファインディ株式会社におけるMCP活用とサービス開発
starfish719
0
1.9k
デザイナーが Androidエンジニアに 挑戦してみた
874wokiite
0
540
Reading Rails 1.0 Source Code
okuramasafumi
0
250
Zendeskのチケットを Amazon Bedrockで 解析した
ryokosuge
3
310
チームのテスト力を鍛える
goyoki
3
720
MCPとデザインシステムに立脚したデザインと実装の融合
yukukotani
4
1.4k
意外と簡単!?フロントエンドでパスキー認証を実現する WebAuthn
teamlab
PRO
2
770
AIでLINEスタンプを作ってみた
eycjur
1
230
為你自己學 Python - 冷知識篇
eddie
1
350
How Android Uses Data Structures Behind The Scenes
l2hyunwoo
0
480
JSONataを使ってみよう Step Functionsが楽しくなる実践テクニック #devio2025
dafujii
1
590
Featured
See All Featured
Automating Front-end Workflow
addyosmani
1370
200k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Large-scale JavaScript Application Architecture
addyosmani
513
110k
A better future with KSS
kneath
239
17k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
How GitHub (no longer) Works
holman
315
140k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
30
9.7k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Rails Girls Zürich Keynote
gr2m
95
14k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.7k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
Transcript
Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May
19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1
Works, but not ideal. Use SOPS to encrypt and store
in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2
What happens when you accidentally commit a plaintext secret? 3
1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace
6. Re-run Plan R AKA Remediation 4
Is there a better way? 5
Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets
Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6
Secrets Manager + Kubernetes Use file-based secrets injection with Secrets
Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7
If you still need Kubernetes secrets… Sync as Kubernetes Secret
with Secrets Store CSI Driver. 1 2 3 8
github.com/ joatmon08/ hashicorp-vault-flux 9
1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi
5. vaultproject.io/docs/platform/k8s/injector Resources 10
Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary
Wang @joatmon08 joatmon08.github.io 11