Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure Your Secrets in GitOps
Search
Rosemary Wang
May 19, 2022
Programming
1
110
Secure Your Secrets in GitOps
Learn how to inject secrets into your applications with Flux, a GitOps tool on Kubernetes.
Rosemary Wang
May 19, 2022
Tweet
Share
More Decks by Rosemary Wang
See All by Rosemary Wang
Build for massive scale & security with the HashiCorp Cloud Platform
joatmon08
0
49
People, process, and technology for ILM and SLM adoption
joatmon08
0
39
Secure Day 2 operations with Boundary and Vault
joatmon08
0
56
Can You Test Your Infrastructure as Code?
joatmon08
1
99
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
54
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
69
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
75
Break Glass, Repair Fast, Reconcile Automation
joatmon08
1
64
Building a Developer Platform? Ask these questions.
joatmon08
0
75
Other Decks in Programming
See All in Programming
Ktorで簡単AIアプリケーション
tsukakei
0
100
『毎日の移動』を支えるGoバックエンド内製開発
yutautsugi
2
280
What Spring Developers Should Know About Jakarta EE
ivargrimstad
0
450
Foundation Modelsを実装日本語学習アプリを作ってみた!
hypebeans
1
120
PHPに関数型の魂を宿す〜PHP 8.5 で実現する堅牢なコードとは〜 #phpcon_hiroshima / phpcon-hiroshima-2025
shogogg
1
330
Migration to Signals, Resource API, and NgRx Signal Store
manfredsteyer
PRO
0
110
Devvox Belgium - Agentic AI Patterns
kdubois
1
140
品質ワークショップをやってみた
nealle
0
620
Go言語はstack overflowの夢を見るか?
logica0419
0
520
Leading Effective Engineering Teams in the AI Era
addyosmani
7
590
Domain-centric? Why Hexagonal, Onion, and Clean Architecture Are Answers to the Wrong Question
olivergierke
3
960
Pythonに漸進的に型をつける
nealle
1
120
Featured
See All Featured
The Power of CSS Pseudo Elements
geoffreycrofte
80
6k
How to train your dragon (web standard)
notwaldorf
97
6.3k
Build your cross-platform service in a week with App Engine
jlugia
233
18k
Making the Leap to Tech Lead
cromwellryan
135
9.6k
Leading Effective Engineering Teams in the AI Era
addyosmani
7
590
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
132
19k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
116
20k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.7k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
359
30k
Learning to Love Humans: Emotional Interface Design
aarron
274
41k
The Straight Up "How To Draw Better" Workshop
denniskardys
238
140k
Transcript
Copyright © 2022 HashiCorp Secure Your Secrets in GitOps May
19, 2021 Rosemary Wang Developer Advocate at HashiCorp she/her @joatmon08 1
Works, but not ideal. Use SOPS to encrypt and store
in version control. 1 2 3 fluxcd.io/docs/guides/mozilla-sops/#encrypting-secrets-using-hashicorp-vault SOPS 2. Commit encrypted secret to version control. 1. Use encryption key from Vault to encrypt secret. 2
What happens when you accidentally commit a plaintext secret? 3
1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace
6. Re-run Plan R AKA Remediation 4
Is there a better way? 5
Kubernetes Secret Plaintext 😨 Needs role-based access controls 🤔 Secrets
Manager Securely stores secrets (Some) Rotate secrets for you Audits access Securing Secrets Credentials, Tokens, Keys, Certificates 6
Secrets Manager + Kubernetes Use file-based secrets injection with Secrets
Store CSI Driver. 1 2 3 secrets-store-csi-driver.sigs.k8s.io/ vaultproject.io/docs/platform/k8s/csi @joatmon08 7
If you still need Kubernetes secrets… Sync as Kubernetes Secret
with Secrets Store CSI Driver. 1 2 3 8
github.com/ joatmon08/ hashicorp-vault-flux 9
1. hashicorp.com/blog/manage-kubernetes-secrets- for-flux-with-hashicorp-vault 2. fluxcd.io/docs/guides/mozilla-sops/#encrypting-s ecrets-using-hashicorp-vault 3. secrets-store-csi-driver.sigs.k8s.io/ 4. vaultproject.io/docs/platform/k8s/csi
5. vaultproject.io/docs/platform/k8s/injector Resources 10
Copyright © 2022 HashiCorp Thank you! May 19, 2021 Rosemary
Wang @joatmon08 joatmon08.github.io 11