Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure Your Secrets in GitOps
Search
Rosemary Wang
May 19, 2022
Programming
1
73
Secure Your Secrets in GitOps
Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.
Rosemary Wang
May 19, 2022
Tweet
Share
More Decks by Rosemary Wang
See All by Rosemary Wang
Secure Day 2 operations with Boundary and Vault
joatmon08
0
14
Can You Test Your Infrastructure as Code?
joatmon08
1
49
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
21
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
26
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
31
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
40
Building a Developer Platform? Ask these questions.
joatmon08
0
26
From Cloud-Hosted to Cloud-Native
joatmon08
0
50
Refactoring Applications for Dynamic Secrets
joatmon08
1
37
Other Decks in Programming
See All in Programming
のびしろを広げる巻き込まれ力:偶然を活かすキャリアの作り方/oso2024
takahashiikki
1
410
Outline View in SwiftUI
1024jp
1
140
CSC509 Lecture 08
javiergs
PRO
0
110
CSC509 Lecture 09
javiergs
PRO
0
110
Importmapを使ったJavaScriptの 読み込みとブラウザアドオンの影響
swamp09
4
1.2k
僕がつくった48個のWebサービス達
yusukebe
18
17k
Sidekiqで実現する 長時間非同期処理の中断と再開 / Pausing and Resuming Long-Running Asynchronous Jobs with Sidekiq
hypermkt
6
2.7k
Identifying User Idenity
moro
6
7.9k
LLM生成文章の精度評価自動化とプロンプトチューニングの効率化について
layerx
PRO
2
140
JaSST 24 九州:ワークショップ(は除く)実践!マインドマップを活用したソフトウェアテスト+活用事例
satohiroyuki
0
260
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
550
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
3
400
Featured
See All Featured
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Fashionably flexible responsive web design (full day workshop)
malarkey
404
65k
Designing on Purpose - Digital PM Summit 2013
jponch
115
6.9k
Music & Morning Musume
bryan
46
6.1k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Six Lessons from altMBA
skipperchong
26
3.5k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
How GitHub (no longer) Works
holman
311
140k
How STYLIGHT went responsive
nonsquared
95
5.2k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Building Better People: How to give real-time feedback that sticks.
wjessup
363
19k
Git: the NoSQL Database
bkeepers
PRO
425
64k
Transcript
Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May
19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1
Works, but not ideal. Use SOPS to encrypt and store
in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2
What happens when you accidentally commit a plaintext secret? 3
1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace
6. Re-run Plan R AKA Remediation 4
Is there a better way? 5
Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets
Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6
Secrets Manager + Kubernetes Use file-based secrets injection with Secrets
Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7
If you still need Kubernetes secrets… Sync as Kubernetes Secret
with Secrets Store CSI Driver. 1 2 3 8
github.com/ joatmon08/ hashicorp-vault-flux 9
1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi
5. vaultproject.io/docs/platform/k8s/injector Resources 10
Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary
Wang @joatmon08 joatmon08.github.io 11