Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure Your Secrets in GitOps
Search
Rosemary Wang
May 19, 2022
Programming
1
110
Secure Your Secrets in GitOps
Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.
Rosemary Wang
May 19, 2022
Tweet
Share
More Decks by Rosemary Wang
See All by Rosemary Wang
Build for massive scale & security with the HashiCorp Cloud Platform
joatmon08
0
45
People, process, and technology for ILM and SLM adoption
joatmon08
0
29
Secure Day 2 operations with Boundary and Vault
joatmon08
0
50
Can You Test Your Infrastructure as Code?
joatmon08
1
94
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
49
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
66
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
71
Break Glass, Repair Fast, Reconcile Automation
joatmon08
1
60
Building a Developer Platform? Ask these questions.
joatmon08
0
71
Other Decks in Programming
See All in Programming
パッケージ設計の黒魔術/Kyoto.go#63
lufia
2
350
Jakarta EE Core Profile and Helidon - Speed, Simplicity, and AI Integration
ivargrimstad
0
250
パスタの技術
yusukebe
1
540
DockerからECSへ 〜 AWSの海に出る前に知っておきたいこと 〜
ota1022
5
1.8k
Flutter로 Gemini와 MCP를 활용한 Agentic App 만들기 - 박제창 2025 I/O Extended Seoul
itsmedreamwalker
0
160
Oracle Database Technology Night 92 Database Connection control FAN-AC
oracle4engineer
PRO
1
310
🔨 小さなビルドシステムを作る
momeemt
2
610
物語を動かす行動"量" #エンジニアニメ
konifar
14
5.6k
オープンセミナー2025@広島「君はどこで動かすか?」アンケート結果
satoshi256kbyte
0
220
FindyにおけるTakumi活用と脆弱性管理のこれから
rvirus0817
0
200
WebAssemblyインタプリタを書く ~Component Modelを添えて~
ruccho
1
940
MCPで実現するAIエージェント駆動のNext.jsアプリデバッグ手法
nyatinte
7
980
Featured
See All Featured
Imperfection Machines: The Place of Print at Facebook
scottboms
268
13k
Site-Speed That Sticks
csswizardry
10
800
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
185
54k
Music & Morning Musume
bryan
46
6.8k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
Building an army of robots
kneath
306
46k
Fireside Chat
paigeccino
39
3.6k
[RailsConf 2023] Rails as a piece of cake
palkan
56
5.8k
Navigating Team Friction
lara
189
15k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3k
The Art of Programming - Codeland 2020
erikaheidi
55
13k
A Tale of Four Properties
chriscoyier
160
23k
Transcript
Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May
19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1
Works, but not ideal. Use SOPS to encrypt and store
in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2
What happens when you accidentally commit a plaintext secret? 3
1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace
6. Re-run Plan R AKA Remediation 4
Is there a better way? 5
Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets
Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6
Secrets Manager + Kubernetes Use file-based secrets injection with Secrets
Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7
If you still need Kubernetes secrets… Sync as Kubernetes Secret
with Secrets Store CSI Driver. 1 2 3 8
github.com/ joatmon08/ hashicorp-vault-flux 9
1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi
5. vaultproject.io/docs/platform/k8s/injector Resources 10
Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary
Wang @joatmon08 joatmon08.github.io 11