Secure Your Secrets in GitOps

Slide 1

Slide 1 text

Slide 2

Slide 2 text

Works, but not ideal. Use SOPS to encrypt and store in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2

Slide 3

Slide 3 text

What happens when you accidentally commit a plaintext secret? 3

Slide 4

Slide 4 text

1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace 6. Re-run Plan R AKA Remediation 4

Slide 5

Slide 5 text

Is there a better way? 5

Slide 6

Slide 6 text

Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certiﬁcates 6

Slide 7

Slide 7 text

Secrets Manager + Kubernetes Use ﬁle-based secrets injection with Secrets Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7

Slide 8

Slide 8 text

If you still need Kubernetes secrets… Sync as Kubernetes Secret with Secrets Store CSI Driver. 1 2 3 8

Slide 9

Slide 9 text

github.com/ joatmon08/ hashicorp-vault-ﬂux 9

Slide 10

Slide 10 text

1. hashicorp.com/blog/manage-kubernetes-secrets- for-ﬂux-with-hashicorp-vault 2. ﬂuxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi 5. vaultproject.io/docs/platform/k8s/injector Resources 10