|
| 1 | +# The basics of GitOps secrets management (Kubernetes) |
| 2 | + |
| 3 | +Source: |
| 4 | +- <https://www.redhat.com/en/blog/a-guide-to-secrets-management-with-gitops-and-kubernetes> |
| 5 | +- <https://www.harness.io/blog/gitops-secrets> |
| 6 | + |
| 7 | +Kubernetes provides Secrets as objects to store confidential information without being visible in the application code. This mechanism makes it possible to use sensitive data with less risk of accidental exposure when managing the operations of Kubernetes itself. From a basic level, the process to create Kubernetes secrets is fairly straightforward: |
| 8 | +- A trusted individual or source defines a Secret by creating a specific name for it and entering the confidential data. Kubernetes operators never see the actual data itself, only the name. |
| 9 | +- Once a workload needs to access and use the confidential data, it will refer to that previously created specific name to retrieve it |
| 10 | + |
| 11 | +Keeping sensitive data in Git in any capacity introduces a security risk, even if the repository is private with strict access controls. If a secret gets committed to a Git repository in plain text form, it must be revoked and no longer used. However, there are still ways to handle secrets in GitOps that mitigate security risks. Let's go over two of the popular methoddologies to manage secrets in GitOps: |
| 12 | + |
| 13 | +## 1. Encrypted secrets: |
| 14 | + |
| 15 | +> Store encrypted secrets in a Git repository and leverage automation to decrypt and render them as Kubernetes Secrets |
| 16 | +
|
| 17 | +[Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets): |
| 18 | + |
| 19 | + |
| 20 | + |
| 21 | +- It takes advantage of public-key cryptography to encrypt secrets: |
| 22 | + - Using source control to store secrets. |
| 23 | + - Using a decryption key within a Kubernetes cluster to decrypt secrets. |
| 24 | +- A CLI tool, Kubeseal, makes encrypting secrets simple because it has access to the cluster to retrieve encryption keys. |
| 25 | + |
| 26 | + |
| 27 | + |
| 28 | +- The main advantages are usability and eliminating the need to use a separate Secrets Manager, like Hashicorp Vault. |
| 29 | +- You still need to manually encrypt each secret. |
| 30 | +- The solution exclusively works with Kubernetes. |
| 31 | + |
| 32 | +[Mozilla SOPs](https://github.com/mozilla/sops): |
| 33 | +- A flexible CLI tool for encryption and decryption not limited to use cases with Kubernetes. |
| 34 | +- Supports multiple input format. |
| 35 | +- Supports integrations with Key Management Systems (KMS) like Hashicorp Vault, AWS KMS to provide encryption keys for securing secrets rather than storing secrets directly within with the KMS. |
| 36 | +- Similar to how SealedSecrets work, secrets are manually encrypted by developers. It uses the SealedSecrets workflow but uses SOPS for encryption. It reads decryption keys from a key store and then decrypts secrets using a SOPS binary that a tool, such as Argo CD, can run with the SOPS plugin. |
| 37 | + |
| 38 | +Disadvantages: |
| 39 | +- Manually take secrets in plain text form, encrypt them, and store them in Git. |
| 40 | +- The other downfall is that if any encrypted keys are compromised, it's difficult to retroactively find and revoke all of them. |
| 41 | +- Scaling problem. |
| 42 | + |
| 43 | +## 2. GitOps Secrets Reference |
| 44 | + |
| 45 | +> Store references to the secrets in a Git repository Instead of storing encrypted secrets directly in Git. Then leverage automation to fetch the actual secrets based on their references before rendering them as Kubernetes Secrets. |
| 46 | +
|
| 47 | +To retrieve the secrets from the manager and get them into your cluster, you'll need an operator installed on your cluster to interact with secrets manager. |
| 48 | + |
| 49 | +[External Secrets Operator](https://github.com/external-secrets/external-secrets) integrates external secret management systems like AWS Secrets Manager, hashicorp Vault, ... The operator reads information from external APIs and automatically injects the values into a Kubernetes Secret. |
| 50 | + |
| 51 | + |
| 52 | + |
| 53 | +Kubernetes Secrets Store CSI Driver is a solution to take secrets from an external secrets management tool and bring them into a Kubernetes cluster. |
| 54 | +- More complex than External Secrets. Instead of retrieving external secrets and creating secret resources, this solution uses a separate volume attached to a pod to store secrets. A developer commits a SecretProviderClass with a reference to a secret. The GitOps operator deploys the change and the CSI Secret Store Operator Plugin then retrieves the secret from the secret management system. The operator plugin then creates a volume with the secret that is attached to a specified pod. |
| 55 | + |
| 56 | + |
0 commit comments