Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure Your Secrets in GitOps
Search
Rosemary Wang
May 19, 2022
Programming
1
110
Secure Your Secrets in GitOps
Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.
Rosemary Wang
May 19, 2022
Tweet
Share
More Decks by Rosemary Wang
See All by Rosemary Wang
Build for massive scale & security with the HashiCorp Cloud Platform
joatmon08
0
41
People, process, and technology for ILM and SLM adoption
joatmon08
0
24
Secure Day 2 operations with Boundary and Vault
joatmon08
0
50
Can You Test Your Infrastructure as Code?
joatmon08
1
91
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
49
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
66
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
63
Break Glass, Repair Fast, Reconcile Automation
joatmon08
1
56
Building a Developer Platform? Ask these questions.
joatmon08
0
68
Other Decks in Programming
See All in Programming
『自分のデータだけ見せたい!』を叶える──Laravel × Casbin で複雑権限をスッキリ解きほぐす 25 分
akitotsukahara
2
640
猫と暮らす Google Nest Cam生活🐈 / WebRTC with Google Nest Cam
yutailang0119
0
140
PostgreSQLのRow Level SecurityをPHPのORMで扱う Eloquent vs Doctrine #phpcon #track2
77web
2
530
チームで開発し事業を加速するための"良い"設計の考え方 @ サポーターズCoLab 2025-07-08
agatan
1
430
LT 2025-06-30: プロダクトエンジニアの役割
yamamotok
0
780
Is Xcode slowly dying out in 2025?
uetyo
1
280
おやつのお供はお決まりですか?@WWDC25 Recap -Japan-\(region).swift
shingangan
0
140
20250628_非エンジニアがバイブコーディングしてみた
ponponmikankan
0
700
明示と暗黙 ー PHPとGoの インターフェイスの違いを知る
shimabox
2
520
Discover Metal 4
rei315
2
140
PHPでWebSocketサーバーを実装しよう2025
kubotak
0
290
Deep Dive into ~/.claude/projects
hiragram
14
2.6k
Featured
See All Featured
Git: the NoSQL Database
bkeepers
PRO
430
65k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.5k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
How to Ace a Technical Interview
jacobian
278
23k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.7k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Making Projects Easy
brettharned
116
6.3k
Art, The Web, and Tiny UX
lynnandtonic
299
21k
Java REST API Framework Comparison - PWX 2021
mraible
31
8.7k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.5k
Transcript
Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May
19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1
Works, but not ideal. Use SOPS to encrypt and store
in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2
What happens when you accidentally commit a plaintext secret? 3
1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace
6. Re-run Plan R AKA Remediation 4
Is there a better way? 5
Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets
Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6
Secrets Manager + Kubernetes Use file-based secrets injection with Secrets
Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7
If you still need Kubernetes secrets… Sync as Kubernetes Secret
with Secrets Store CSI Driver. 1 2 3 8
github.com/ joatmon08/ hashicorp-vault-flux 9
1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi
5. vaultproject.io/docs/platform/k8s/injector Resources 10
Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary
Wang @joatmon08 joatmon08.github.io 11