Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Secure Your Secrets in GitOps
Rosemary Wang
May 19, 2022
Programming
0
9
Secure Your Secrets in GitOps
Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.
Rosemary Wang
May 19, 2022
Tweet
Share
More Decks by Rosemary Wang
See All by Rosemary Wang
Lessons Learned from Scaling Infrastructure as Code
joatmon08
0
820
Secure Together: Consul + Vault
joatmon08
0
19
Let’s Secure a CI/CD Pipeline
joatmon08
0
29
A Practical Introduction to Minimum Secure Products
joatmon08
2
51
A Developer's Introduction to Service Mesh
joatmon08
1
2k
Security vs. Delivery: Win with Dependency Inversion
joatmon08
1
560
Security Tests for Security Groups, Shifted Left
joatmon08
0
61
KubeCon NA 2021 Technical Demo: Consul Service Mesh with .NET and Java on Kubernetes
joatmon08
0
28
Secrets Management for Development & Operations
joatmon08
0
100
Other Decks in Programming
See All in Programming
実践 SpiceDB - クライドネイティブ時代をサバイブできるパーミッション管理の実装を目指して / Practical SpiceDB
lmt_swallow
0
130
回帰分析ではlm()ではなくestimatr::lm_robust()を使おう / TokyoR100
dropout009
0
4.5k
Atomic Design とテストの○○な話
takfjp
2
800
Getting Started With Data Structures
adoranwodo
1
260
WindowsコンテナDojo: 第4回 Red Hat OpenShift Localを使ってみよう
oniak3ibm
PRO
0
180
How GitHub Supports Vim License Detection, The Five Years Journey
othree
1
350
Computer Vision Seminar 1/コンピュータビジョンセミナーvol.1 OpenCV活用
fixstars
0
160
段階的な技術的負債の解消方法.pdf
ko2ic
2
910
ちょっとつよい足トラ
logilabo
0
380
2022年のモダンCSS改
tonkotsuboy_com
24
16k
それ全部エラーメッセージに書いてあるよ!〜独学でPHPプログラミングが上達するたった一つの方法〜
77web
1
150
RustのWebフレームワーク周りの概観
hayao
0
180
Featured
See All Featured
Writing Fast Ruby
sferik
612
57k
Building Better People: How to give real-time feedback that sticks.
wjessup
344
17k
The Mythical Team-Month
searls
210
39k
YesSQL, Process and Tooling at Scale
rocio
157
12k
Adopting Sorbet at Scale
ufuk
63
7.6k
Designing on Purpose - Digital PM Summit 2013
jponch
106
5.7k
Web Components: a chance to create the future
zenorocha
303
40k
StorybookのUI Testing Handbookを読んだ
zakiyama
6
2.5k
Building a Scalable Design System with Sketch
lauravandoore
448
30k
Unsuck your backbone
ammeep
659
55k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
6
560
What's in a price? How to price your products and services
michaelherold
229
9.4k
Transcript
Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May
19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1
Works, but not ideal. Use SOPS to encrypt and store
in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2
What happens when you accidentally commit a plaintext secret? 3
1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace
6. Re-run Plan R AKA Remediation 4
Is there a better way? 5
Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets
Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6
Secrets Manager + Kubernetes Use file-based secrets injection with Secrets
Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7
If you still need Kubernetes secrets… Sync as Kubernetes Secret
with Secrets Store CSI Driver. 1 2 3 8
github.com/ joatmon08/ hashicorp-vault-flux 9
1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi
5. vaultproject.io/docs/platform/k8s/injector Resources 10
Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary
Wang @joatmon08 joatmon08.github.io 11