Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Secure Your Secrets in GitOps
Rosemary Wang
May 19, 2022
Programming
0
9
Secure Your Secrets in GitOps
Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.
Rosemary Wang
May 19, 2022
Tweet
Share
More Decks by Rosemary Wang
See All by Rosemary Wang
Lessons Learned from Scaling Infrastructure as Code
joatmon08
0
820
Secure Together: Consul + Vault
joatmon08
0
20
Let’s Secure a CI/CD Pipeline
joatmon08
0
30
A Practical Introduction to Minimum Secure Products
joatmon08
2
51
A Developer's Introduction to Service Mesh
joatmon08
1
2k
Security vs. Delivery: Win with Dependency Inversion
joatmon08
1
560
Security Tests for Security Groups, Shifted Left
joatmon08
0
63
KubeCon NA 2021 Technical Demo: Consul Service Mesh with .NET and Java on Kubernetes
joatmon08
0
28
Secrets Management for Development & Operations
joatmon08
0
110
Other Decks in Programming
See All in Programming
Git操作編
smt7174
2
260
Windows コンテナ Dojo 第5回 OpenShift で学ぶ Kubernetes 入門
oniak3ibm
PRO
0
200
VIMRC 2022
achimnol
0
140
Lookerとdbtの共存
ttccddtoki
0
670
Efficient UI testing in Android
alexzhukovich
2
130
僕が便利だと感じる Snow Monkey の特徴/20220723_Gifu_WordPress_Meetup
oleindesign
0
110
Babylon.jsで作ったsceneをレイトレーシングで映えさせる
turamy
1
220
FutureCon 2022 FlutterアプリのPerformance測定
harukafujita
0
140
MLOps勉強会_リアルタイムトラフィックのサーバレスMLOps基盤_20220810
strsaito
1
460
WindowsコンテナDojo:第6回 Red Hat OpenShift入門
oniak3ibm
PRO
0
180
How to Test Your Compose UI (Droidcon Berlin 2022)
stewemetal
1
130
FullStack eXchange, July 2022
brucel
0
200
Featured
See All Featured
KATA
mclloyd
7
8.9k
Ruby is Unlike a Banana
tanoku
91
9.3k
Making Projects Easy
brettharned
98
4.4k
Raft: Consensus for Rubyists
vanstee
127
5.5k
A Philosophy of Restraint
colly
192
15k
It's Worth the Effort
3n
172
26k
Imperfection Machines: The Place of Print at Facebook
scottboms
253
12k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
107
16k
What the flash - Photography Introduction
edds
63
10k
Principles of Awesome APIs and How to Build Them.
keavy
113
15k
10 Git Anti Patterns You Should be Aware of
lemiorhan
638
52k
Reflections from 52 weeks, 52 projects
jeffersonlam
337
17k
Transcript
Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May
19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1
Works, but not ideal. Use SOPS to encrypt and store
in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2
What happens when you accidentally commit a plaintext secret? 3
1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace
6. Re-run Plan R AKA Remediation 4
Is there a better way? 5
Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets
Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6
Secrets Manager + Kubernetes Use file-based secrets injection with Secrets
Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7
If you still need Kubernetes secrets… Sync as Kubernetes Secret
with Secrets Store CSI Driver. 1 2 3 8
github.com/ joatmon08/ hashicorp-vault-flux 9
1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi
5. vaultproject.io/docs/platform/k8s/injector Resources 10
Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary
Wang @joatmon08 joatmon08.github.io 11