๐๐ฆ๐๐ผ๐ฟ๐ถ๐ป๐ด ๐๐๐ฏ๐ฒ๐ฟ๐ป๐ฒ๐๐ฒ๐ ๐ฆ๐ฒ๐ฐ๐ฟ๐ฒ๐๐ ๐ฆ๐ฒ๐ฐ๐๐ฟ๐ฒ๐น๐ ๐๐ถ๐๐ต ๐๐ ๐๐ฒ๐ฟ๐ป๐ฎ๐น ๐ฆ๐ฒ๐ฐ๐ฟ๐ฒ๐๐ ๐ข๐ฝ๐ฒ๐ฟ๐ฎ๐๐ผ๐ฟ
With the growing adoption of the GitOps principle where a single source of truth is maintained for everything, all application manifests (deployments, configmaps, ingresses, etc.) are stored in a version control system.
However, ๐๐ฒ๐ป๐๐ถ๐๐ถ๐๐ฒ ๐ถ๐ป๐ณ๐ผ๐ฟ๐บ๐ฎ๐๐ถ๐ผ๐ป such as credentials stored in Kubernetes Secrets cannot be committed to version control in plain text and even Base64 encoding isnโt safe, since it can be decoded easily (itโs encoding, not encryption).
Here are a few ways to store Kubernetes secrets in a Git repository without compromising them:
1๏ธโฃUsing External Secrets Operator backed by a secret manager backend like AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, etc.
2๏ธโฃUsing a Sealed Secrets controller running in your Kubernetes cluster.
3๏ธโฃ Using SOPS, which encrypts secrets using AWS KMS, GCP KMS, and other key management services.
In this post, Iโll focus on ๐๐ ๐๐ฒ๐ฟ๐ป๐ฎ๐น ๐ฆ๐ฒ๐ฐ๐ฟ๐ฒ๐๐ ๐ข๐ฝ๐ฒ๐ฟ๐ฎ๐๐ผ๐ฟ (๐๐ฆ๐ข)
๐ ๐๐
๐๐ฒ๐ฟ๐ป๐ฎ๐น ๐ฆ๐ฒ๐ฐ๐ฟ๐ฒ๐ ๐ข๐ฝ๐ฒ๐ฟ๐ฎ๐๐ผ๐ฟ
Instead of storing your Kubernetes Secrets directly in Git, you store them in a secure backend (AWS Secrets Manager, Parameter Store, HashiCorp Vault, Azure Key Vault, etc.) and let the External Secrets Operator sync them into your cluster.
๐๐ผ๐ ๐ถ๐ ๐๐ผ๐ฟ๐ธ๐
1๏ธโฃ Store your secret in AWS Secrets Manager, Parameter Store, Vault, or another supported backend.
2๏ธโฃ Create a ๐ฆ๐ฒ๐ฐ๐ฟ๐ฒ๐๐ฆ๐๐ผ๐ฟ๐ฒ or ๐๐น๐๐๐๐ฒ๐ฟ๐ฆ๐ฒ๐ฐ๐ฟ๐ฒ๐๐ฆ๐๐ผ๐ฟ๐ฒ this Custom Resource Definition (CRD) specifies:
- The backend type (AWS, Vault, Azure, etc.)
- The authentication method used to access the backend. 3๏ธโฃ Create an ๐๐ ๐๐ฒ๐ฟ๐ป๐ฎ๐น๐ฆ๐ฒ๐ฐ๐ฟ๐ฒ๐, this CRD is stored in Git and references:
- The ๐ฆ๐ฒ๐ฐ๐ฟ๐ฒ๐๐ฆ๐๐ผ๐ฟ๐ฒ
- The name of the secret in the backend
- The name of the Kubernetes Secret to be created 4๏ธโฃ The External Secrets Operator reads the ๐๐ ๐๐ฒ๐ฟ๐ป๐ฎ๐น๐ฆ๐ฒ๐ฐ๐ฟ๐ฒ๐, authenticates to the backend using the credentials defined in the ๐ฆ๐ฒ๐ฐ๐ฟ๐ฒ๐๐ฆ๐๐ผ๐ฟ๐ฒ, fetches the secret, and creates the Kubernetes Secret in your cluster. 5๏ธโฃ ๐๐ฆ๐ข ๐ฐ๐ผ๐ป๐๐ถ๐ป๐๐ผ๐๐๐น๐ ๐๐๐ป๐ฐ๐ secrets from the backend to Kubernetes, ensuring they are always up to date according to the sync configuration.
How are you managing Kubernetes secrets in your GitOps workflow?
Top comments (0)