Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure Your Secrets in GitOps
Search
Rosemary Wang
May 19, 2022
Programming
1
70
Secure Your Secrets in GitOps
Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.
Rosemary Wang
May 19, 2022
Tweet
Share
More Decks by Rosemary Wang
See All by Rosemary Wang
Secure Day 2 operations with Boundary and Vault
joatmon08
0
11
Can You Test Your Infrastructure as Code?
joatmon08
1
42
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
20
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
23
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
27
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
36
Building a Developer Platform? Ask these questions.
joatmon08
0
22
From Cloud-Hosted to Cloud-Native
joatmon08
0
49
Refactoring Applications for Dynamic Secrets
joatmon08
1
35
Other Decks in Programming
See All in Programming
Composing an API the *right* way (Droidcon New York 2024)
zsmb
2
140
A New Era of Testing
mannodermaus
2
520
LangChainの現在とv0.3にむけて
os1ma
4
940
rbs-inlineを導入してYARDからRBSに移行する
euglena1215
1
290
LangChainでWebサイトの内容取得やGitHubソースコード取得
shukob
0
160
2024 컴포즈 정원사
jisungbin
0
150
Desafios e Lições Aprendidas na Migração de Monólitos para Microsserviços em Java
jessilyneh
2
150
はじめてみよう量子プログラミング
itokoichi01
0
220
【TID2024】模擬講義:プログラマと一緒にゲームをデザインしてみよう!
akatsukigames_tech
0
670
Swiftコードバトル必勝法
toshi0383
0
170
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
0
120
The Sequel to a Dream of Ruby Parser's Grammar
ydah
1
220
Featured
See All Featured
The World Runs on Bad Software
bkeepers
PRO
64
11k
Teambox: Starting and Learning
jrom
131
8.7k
Pencils Down: Stop Designing & Start Developing
hursman
119
11k
From Idea to $5000 a Month in 5 Months
shpigford
379
46k
Optimising Largest Contentful Paint
csswizardry
31
2.8k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
225
22k
Agile that works and the tools we love
rasmusluckow
327
20k
Clear Off the Table
cherdarchuk
91
320k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.1k
Mobile First: as difficult as doing things right
swwweet
221
8.8k
It's Worth the Effort
3n
182
27k
Facilitating Awesome Meetings
lara
49
6k
Transcript
Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May
19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1
Works, but not ideal. Use SOPS to encrypt and store
in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2
What happens when you accidentally commit a plaintext secret? 3
1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace
6. Re-run Plan R AKA Remediation 4
Is there a better way? 5
Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets
Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6
Secrets Manager + Kubernetes Use file-based secrets injection with Secrets
Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7
If you still need Kubernetes secrets… Sync as Kubernetes Secret
with Secrets Store CSI Driver. 1 2 3 8
github.com/ joatmon08/ hashicorp-vault-flux 9
1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi
5. vaultproject.io/docs/platform/k8s/injector Resources 10
Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary
Wang @joatmon08 joatmon08.github.io 11