Shh, It’s a Secret: Managing Your Secrets in a GitOps Way

Shh, It’s a Secret: Managing Your Secrets in a GitOps Way - Jake Wernette & Josh Kayani, IBM

Рет қаралды 6,368

CNCF [Cloud Native Computing Foundation]

Күн бұрын

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Shh, It’s a Secret: Managing Your Secrets in a GitOps Way - Jake Wernette & Josh Kayani, IBM
How do you handle secrets? That is the first question that is asked whenever you are talking about GitOps. And it is a valid question! Do you put secrets directly in Git? Do you inject them in runtime? This is something that is trying to be answered across the community and in many different ways. Jake and his team at IBM looked at the landscape of GitOps specifically with Argo CD and could not find something that fit their needs. This talk will showcase how they were able to build and adopt argocd-vault-plugin and how it was able to simplify their secret management while allowing them to manage it in a GitOps way. Hopefully this talk will help you along in your GitOps journey and bridge the secrets gap that we are seeing so often in the community.

Пікірлер: 6

@harshvardhanchauhan1604 11 ай бұрын

Do we have a HOWTO doc for setting up ArgoCD vault plug-in + AWS secret manager?

@user-oe4jx5vj2c 11 ай бұрын

"Don't do it like that in production." (19:40) Well, but how should i do it instead? Create multiple roles? All are managed by argo, so what's the point?

@adarshaj 2 жыл бұрын

So when i fetch the yaml for the deployed application, I'll be able to see the secret as is? I think the point of secret is that the deployment environment will ensure the secret is injected at runtime, so anyone outside of cluster will not be able to see the password.. but with this kind of rendering, we are encoding the secret right into the yaml of the resource, so anyone who can read the resources will now also know the password..

@Luther_Luffeigh 2 жыл бұрын

Anyone with permissions

@adarshaj 2 жыл бұрын

@@Luther_Luffeigh That's the problem! with secrets directly interspersed into resource's yaml, I do not have a separate RBAC to restrict access to the secret. So if I use AVP there's no way for me to restrict who can access my secrets.