Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Your Secrets in GitOps

Rosemary Wang
May 19, 2022
Programming
1
81

Secure Your Secrets in GitOps

Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.

Rosemary Wang

May 19, 2022
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Build for massive scale & security with the HashiCorp Cloud Platform
joatmon08
0
13
People, process, and technology for ILM and SLM adoption
joatmon08
0
5
Secure Day 2 operations with Boundary and Vault
joatmon08
0
25
Can You Test Your Infrastructure as Code?
joatmon08
1
62
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
31
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
37
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
44
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
41
Building a Developer Platform? Ask these questions.
joatmon08
0
39

Other Decks in Programming

See All in Programming
Azure AI Foundryのご紹介
qt_luigi
1
250
混沌とした例外処理とエラー監視に秩序をもたらす
morihirok
18
3.1k
ESLintプラグインを使用してCDKのセオリーを適用する
yamanashi_ren01
2
300
サーバーゆる勉強会 DBMS の仕組み編
kj455
1
330
カンファレンス動画鑑賞会のススメ / Osaka.swift #1
hironytic
0
190
Vue.jsでiOSアプリを作る方法
hal_spidernight
0
120
Внедряем бюджетирование, или Как сделать хорошо?
lamodatech
0
970
Beyond ORM
77web
11
1.6k
“あなた” の開発を支援する AI エージェント Bedrock Engineer / introducing-bedrock-engineer
gawa
9
1.1k
ecspresso, ecschedule, lambroll を PipeCDプラグインとして動かしてみた (プロトタイプ) / Running ecspresso, ecschedule, and lambroll as PipeCD Plugins (prototype)
tkikuc
2
2.2k
watsonx.ai Dojo #6 継続的なAIアプリ開発と展開
oniak3ibm
PRO
0
250
CNCF Project の作者が考えている OSS の運営
utam0k
5
560

Featured

See All Featured
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.2k
Facilitating Awesome Meetings
lara
51
6.2k
Become a Pro
speakerdeck
PRO
26
5.1k
It's Worth the Effort
3n
184
28k
YesSQL, Process and Tooling at Scale
rocio
170
14k
Adopting Sorbet at Scale
ufuk
74
9.2k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
3
370
Raft: Consensus for Rubyists
vanstee
137
6.7k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.4k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
3k
How GitHub (no longer) Works
holman
312
140k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k

Transcript

  1. Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May

    19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1

  2. Works, but not ideal. Use SOPS to encrypt and store

    in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2

  3. What happens when you accidentally commit a plaintext secret? 3

  4. 1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace

    6. Re-run Plan R AKA Remediation 4

  5. Is there a better way? 5

  6. Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets

    Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6

  7. Secrets Manager + Kubernetes Use file-based secrets injection with Secrets

    Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7

  8. If you still need Kubernetes secrets… Sync as Kubernetes Secret

    with Secrets Store CSI Driver. 1 2 3 8

  9. github.com/ joatmon08/ hashicorp-vault-flux 9

  10. 1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi

    5. vaultproject.io/docs/platform/k8s/injector Resources 10

  11. Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary

    Wang @joatmon08 joatmon08.github.io 11