DEV Community

Isreal Urephu
Isreal Urephu

Posted on

๐Ÿ”’๐—ฆ๐˜๐—ผ๐—ฟ๐—ถ๐—ป๐—ด ๐—ž๐˜‚๐—ฏ๐—ฒ๐—ฟ๐—ป๐—ฒ๐˜๐—ฒ๐˜€ ๐—ฆ๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜๐˜€ ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ฒ๐—น๐˜† ๐˜„๐—ถ๐˜๐—ต ๐—˜๐˜…๐˜๐—ฒ๐—ฟ๐—ป๐—ฎ๐—น ๐—ฆ๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜๐˜€ ๐—ข๐—ฝ๐—ฒ๐—ฟ๐—ฎ๐˜๐—ผ๐—ฟ

๐Ÿ”’๐—ฆ๐˜๐—ผ๐—ฟ๐—ถ๐—ป๐—ด ๐—ž๐˜‚๐—ฏ๐—ฒ๐—ฟ๐—ป๐—ฒ๐˜๐—ฒ๐˜€ ๐—ฆ๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜๐˜€ ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ฒ๐—น๐˜† ๐˜„๐—ถ๐˜๐—ต ๐—˜๐˜…๐˜๐—ฒ๐—ฟ๐—ป๐—ฎ๐—น ๐—ฆ๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜๐˜€ ๐—ข๐—ฝ๐—ฒ๐—ฟ๐—ฎ๐˜๐—ผ๐—ฟ

With the growing adoption of the GitOps principle where a single source of truth is maintained for everything, all application manifests (deployments, configmaps, ingresses, etc.) are stored in a version control system.

However, ๐˜€๐—ฒ๐—ป๐˜€๐—ถ๐˜๐—ถ๐˜ƒ๐—ฒ ๐—ถ๐—ป๐—ณ๐—ผ๐—ฟ๐—บ๐—ฎ๐˜๐—ถ๐—ผ๐—ป such as credentials stored in Kubernetes Secrets cannot be committed to version control in plain text and even Base64 encoding isnโ€™t safe, since it can be decoded easily (itโ€™s encoding, not encryption).

Here are a few ways to store Kubernetes secrets in a Git repository without compromising them:

1๏ธโƒฃUsing External Secrets Operator backed by a secret manager backend like AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, etc.
2๏ธโƒฃUsing a Sealed Secrets controller running in your Kubernetes cluster.
3๏ธโƒฃ Using SOPS, which encrypts secrets using AWS KMS, GCP KMS, and other key management services.

In this post, Iโ€™ll focus on ๐—˜๐˜…๐˜๐—ฒ๐—ฟ๐—ป๐—ฎ๐—น ๐—ฆ๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜๐˜€ ๐—ข๐—ฝ๐—ฒ๐—ฟ๐—ฎ๐˜๐—ผ๐—ฟ (๐—˜๐—ฆ๐—ข)

๐Ÿ”‘ ๐—˜๐˜…๐˜๐—ฒ๐—ฟ๐—ป๐—ฎ๐—น ๐—ฆ๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜ ๐—ข๐—ฝ๐—ฒ๐—ฟ๐—ฎ๐˜๐—ผ๐—ฟ
Instead of storing your Kubernetes Secrets directly in Git, you store them in a secure backend (AWS Secrets Manager, Parameter Store, HashiCorp Vault, Azure Key Vault, etc.) and let the External Secrets Operator sync them into your cluster.

๐—›๐—ผ๐˜„ ๐—ถ๐˜ ๐˜„๐—ผ๐—ฟ๐—ธ๐˜€
1๏ธโƒฃ Store your secret in AWS Secrets Manager, Parameter Store, Vault, or another supported backend.
2๏ธโƒฃ Create a ๐—ฆ๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜๐—ฆ๐˜๐—ผ๐—ฟ๐—ฒ or ๐—–๐—น๐˜‚๐˜€๐˜๐—ฒ๐—ฟ๐—ฆ๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜๐—ฆ๐˜๐—ผ๐—ฟ๐—ฒ this Custom Resource Definition (CRD) specifies:

  • The backend type (AWS, Vault, Azure, etc.)
  • The authentication method used to access the backend. 3๏ธโƒฃ Create an ๐—˜๐˜…๐˜๐—ฒ๐—ฟ๐—ป๐—ฎ๐—น๐—ฆ๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜, this CRD is stored in Git and references:
  • The ๐—ฆ๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜๐—ฆ๐˜๐—ผ๐—ฟ๐—ฒ
  • The name of the secret in the backend
  • The name of the Kubernetes Secret to be created 4๏ธโƒฃ The External Secrets Operator reads the ๐—˜๐˜…๐˜๐—ฒ๐—ฟ๐—ป๐—ฎ๐—น๐—ฆ๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜, authenticates to the backend using the credentials defined in the ๐—ฆ๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜๐—ฆ๐˜๐—ผ๐—ฟ๐—ฒ, fetches the secret, and creates the Kubernetes Secret in your cluster. 5๏ธโƒฃ ๐—˜๐—ฆ๐—ข ๐—ฐ๐—ผ๐—ป๐˜๐—ถ๐—ป๐˜‚๐—ผ๐˜‚๐˜€๐—น๐˜† ๐˜€๐˜†๐—ป๐—ฐ๐˜€ secrets from the backend to Kubernetes, ensuring they are always up to date according to the sync configuration.

How are you managing Kubernetes secrets in your GitOps workflow?

Top comments (0)