Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GitOps keeping it secret

GitOps keeping it secret

We all love GitOps - it simplifies a lot of our existing workflows. But when everything is committed to Git - how do we keep sensitive information secure? You don’t want to keep any secrets in Git where they are left open to anyone who has access to your repo. If you are embracing GitOps in your organization, application secrets should be protected somehow. How can we store those files on Git while keeping them secure? Join me to learn how!

Omer Levi Hevroni

June 02, 2020
Tweet

More Decks by Omer Levi Hevroni

Other Decks in Programming

Transcript

  1. confidential A place for an image • Secrets that can

    be committed • Transparent for the app • Multiple solutions: • Helm Secrets • Sealed Secrets Encrypted Secrets? @omerlh
  2. • Key Management • Sealed Secret – Single keypair per

    deployment • Helm Secrets – Using SOPS • Coupling to a specific tool/cluster • Changes to secret requires decryption permissions Challenges @omerlh
  3. • An open source project by Soluto • Allows to

    encrypt a secret for a specific application • Leveraging cloud encryption service (AWS/GCP KMS, Azure KeyVault) • HSM support • CRD support – for creating Kubernetes secrets What? @omerlh
  4. Manifests Files Code A GitOps Deployment Kubernetes Icons Source: Kubernetes

    Community, Apache 2 license @omerlh Secret (encrypted)