blog

12020-11-22

SEAN K.H. LIAO

gitops

The idea that you can track your desired state (of entire clusters) in git and some tooling will realize it for you. Problem is secrets. Dumping plain secrets into git is a bad idea, especially if the repo is going to be public.

options

bitnami-labs/sealed-secrets

Secrets are encrypted with a public key and stored as a CRD. A controller in cluster will watch CRDs and decrypt with a private key, creating appropriate Secrets.

external-secrets/kubernetes-external-secrets

Secrets are stored with cloud platform specific secret managers (or Hashipcorp Vault). A controller watches for CRDs and retrieves the secrets.

Supports: aws, hashicorp vault, azure, alibaba, gcp

alternatives
mozilla/sops based solutions

SOPS is the generic secret encryption tooling, additional tooling is needed to integrate with k8s tooling. Secrets are encrypted either with GPG key or cloud KMS keys. Tooling wrappers/plugins are used to decrypt the contents before being rendered/used as plain vars.

examples

For helm specifically, individual helm vars are encrypted with GPG or cloud KMS. helm secrets ... wraps normal helm commands to decode the secrets values which can be used as normal helm vars in templating.

git

use git filters/commands to encrypt/decrypt files before git operations.