Storing Secrets in GIT | GitOps | Kubernetes
Рет қаралды 17,110
Күн бұрынToday we take a look at the concept of Sealed Secrets and how to store secrets in GIT when using GitOps workflows with Kubernetes.
Subscribe to show your support! goo.gl/1Ty1Q2 .
Patreon 👉🏽 / marceldempers
Checkout the source code below 👇🏽 and follow along 🤓
Also if you want to support the channel further, become a member 😎
marceldempers.dev/join
Checkout "That DevOps Community" too
marceldempers.dev/community
Source Code 🧐
--------------------------------------------------------------
github.com/marcel-dempers/doc...
If you are new to Kubernetes, check out my getting started playlist on Kubernetes below :)
Kubernetes Guide for Beginners:
---------------------------------------------------
• Kubernetes development...
Kubernetes Monitoring Guide:
-----------------------------------------------
• Kubernetes Monitoring ...
Kubernetes Secret Management Guide:
--------------------------------------------------------------
• Kubernetes Secret Mana...
Datree: • Detect Kubernetes misc...
Like and Subscribe for more :)
Follow me on socials!
marceldempers.dev
Twitter | / marceldempers
GitHub | github.com/marcel-dempers
Facebook | thatdevopsguy
LinkedIn | / marceldempers
Instagram | / thatdevopsguy
Music:
Track: J3bii - Existance | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / existance-prod-j3bi
Track: J3bi - Fin - Smooth Cat [ prod. j3bi ] | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / fin-smooth-cat-prod-j3bi
Track: Reckoner - lofi hip hop chill beats for study game sleep | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / reckoner-lofi-hip-hop-...
Track: souKo - souKo - Parallel | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / parallel
Timestamps:
00:00 Intro
02:01 Source Code
02:38 Use Cases
03:38 Create a Kubernetes cluster
04:35 Install tooling
06:41 Installing Sealed Secret Controller
09:41 Check the install
10:21 Sponsor
11:44 Encryption process
13:47 KubeSeal
15:11 Our first sealed secret
19:03 Key rotation renewal
20:53 Backup encryption keys
21:34 Restore or migrate cluster
24:40 Re-encrypt secrets
26:42 Outtro
@assonancex 11 ай бұрын
I love how clearly you articulate yourself. Soaking up these tutorials like a sponge. Defo some of the best DevOps tutorials I've seen on YT yet. Ultimately saving one precious time. Thanks bud.
@koskoskng 7 ай бұрын
The best explanation of the sealed-secrets I have ever met. Thank you!
@tomklein6540 Жыл бұрын
Thank you! I’ll soon give this a go on my dev fluxcd cluster.
@ThompsonEdolo Жыл бұрын
For anyone wondering, the net flag is how you get you docker container to communicate with your cluster
@nlflint Жыл бұрын
I was puzzled how kubeseal got the encryption key... So you’re saying when I run the CLI it reaches out to the cluster for the latest key?
@ThompsonEdolo Жыл бұрын
@@nlflint The kubeseal cli can reach the cluster to get the secret sealed. The point I was trying to make is how his dev container was able to communicate with the cluster in the first place. It's quite easy to miss the net flag and you'd be left wondering why it isn't working.
@et2931 Жыл бұрын
Great material! Many thanks for your work!
@aceisastud Жыл бұрын
As always great stuff! I wanted a way to use git with my secrets instead of a vault to have options.
@bagwaniali9514 Жыл бұрын
Great video. What we did is encrypt our secrets with mozilla sops and store this in git. The keys for encryption came out of azure vault only accessible by the devops engineers. We decrypted it in our pipeline when deploying to kubernetes.
@Osandawedamulla Жыл бұрын
Great content, explanation is very nice. Thanks !!
@user-cp6kg3jd9w 7 ай бұрын
woooooow Thank you for your excellent explanation
@salborough2 Ай бұрын
Awesome video thanks Marcel :)
@AlexDresko Жыл бұрын
I love learning about k8s, and this is one of those channels that always makes difficult concepts easy to understand. And now I'm going to be that guy that makes a suggestion for a video that you've already done because he didn't take time to search before asking: The machine has recently fed me videos about sealed secrets and videos about the external secrets thing. I haven't quite groked the relationship between the two.
@omarakki705 Жыл бұрын
Thank you so much
@sujeetkumar. Жыл бұрын
Awesome explanation 👏👏
@bbamo2159 Жыл бұрын
Great guy full of great stuff. 🤩
@abdisamaddheere9765 Жыл бұрын
Thanks a lot boss.
@MohammedNoureldin 7 ай бұрын
Excellent demo! Can KubeSeal be installed on a local machine and pass the public key (cert) to it (if yes, how?), or should it be installed inside the cluster?
@salihamallem Жыл бұрын
Thank you for the well explained video! How to manage encryption keys? do admins need to worry about them and establish a process for them? specially if you have thousands of applications deployed
@rampanwar1316 Жыл бұрын
Great video. When are you making video about pulumi ?. Please make video about pulumi.
@MarcelDempers Жыл бұрын
Its on my list 💪🏽
@based3765 Жыл бұрын
What about storing secrets as GitHub secrets and using GitHub Actions pipelines for DevOps? Is that possible?
@minhthinhhuynhle9103 Жыл бұрын
What another greate video from Mr Dempers, a highly skilled Solution Architect acts as a DevOps propagandist.
@Babbili Жыл бұрын
Is it a base64 of the original secret ?
@SightsToKeepInSight Жыл бұрын
No, it's a real encryption and not a coding (base64). It uses a master key inside cluster that unseals (decrypt) the sealed secret and creates a normal kubernetes secret. All done via an operator running in the cluster. So, looking at the git you cannot see the clean secret.
@Babbili Жыл бұрын
@@SightsToKeepInSight awesome
@nlflint Жыл бұрын
The SealedSecret is properly encrypted. However, once it’s converted to a secret, immediately after deployment, the newly created Secret is still just Base64. I always wonder why k8s calls it a Secret when’s it not encrypted. They’re unencrypted at rest, not usually a good thing.
@Gunzy83 Жыл бұрын
@@nlflint implementation wise there is not a huge difference. The big difference is when using RBAC properly to limit access to Secrets but allow access to ConfigMaps. You would probably need to prevent shell access to pods as well. This is critical if you are using SOPS, Sealed Secrets, cert-manager, 1Password Operator or other service that adds secrets to the cluster for pods to consume.
@Oswee Жыл бұрын
Unfortunately besides K8s there are underlying infrastructure who uses secrets heavily. I mean, i was looking for something more generic and unified.
@RayHorn5128088056 Жыл бұрын
Why not simply deploy manifests via ssh? From private git repos. Secure delivery. No need to store secrets.
@nlflint Жыл бұрын
Most orgs don’t want any kind of dev to know production keys/passwords. It’s just good OPSEC, so gotta keep plain text keys outta source control. This affects finance company especially, ala Sarbanes-Oxley controls (SOX).
@CappySmack Жыл бұрын
@@nlflint Deploying via SSH, for devs who need to be stupid about real secrets, is no less secure than your proposal. Also, there are simple programmatic techniques one could use for "secrets" where nobody has access to the "secrets" other than the code itself.
@erickvillatoro5683 Жыл бұрын
Dude, here's a tip, raise your camera a bit. Your back will thank you.
@drakeanglin Жыл бұрын
Why don’t you just store the secret as a secret yaml to the cluster?
@MarcelDempers Жыл бұрын
With GitOps, manifests go in GIT.
@kidush4623 Жыл бұрын
better solution imo: helm secrets
That DevOps Guy
Рет қаралды 20 М.
MOONCAKE FACTORY
Рет қаралды 25 МЛН
DevOps Toolkit
Рет қаралды 24 М.