Alex Soto - Securing Secrets in the GitOps era

Learn how to secure your secrets in the GitOps era, covering topics such as Kubernetes secret management, Vault, rotation of secrets, and more.

Key takeaways
  • Secrets management is crucial in GitOps. In the GitOps era, everything is in Git, but secrets are not.
  • Kubernetes secrets are not really secret. If an attacker gains access to the pod, they can get the secrets. Secrets are stored in etcd and are not encrypted by default.
  • GitOps requires secure secrets management. GitOps requires a good strategy for storing and managing secrets in Git, but also in the cluster, and then in the secret management system.
  • Bolt is not enough. Bolt is a good option, but it’s not enough. It provides a good security layer, but secrets are still in memory.
  • Vault is a good option. Vault is a good option for secret management. It provides a secure way to store and manage secrets, and it’s open source.
  • Rotation of secrets and keys is crucial. Rotation of secrets and keys is crucial to ensure the security of the application.
  • GitOps and secrets management require layers. GitOps and secrets management require multiple layers of security to ensure the security of the application.
  • Sealed secrets can be used. Sealed secrets can be used to encrypt secrets in Git.
  • KMS plugin is required. KMS plugin is required to ensure the security of the secrets in the cluster.
  • Dynamic secrets can be used. Dynamic secrets can be used to generate secrets for the application.
  • HashiCorp Vault is a good option. HashiCorp Vault is a good option for secret management. It provides a secure way to store and manage secrets, and it’s open source.
  • Kubernetes secrets can be encrypted. Kubernetes secrets can be encrypted to ensure the security of the application.
  • GitOps requires configuration management. GitOps requires configuration management to ensure the security of the application.
  • Secrets should be stored in a secret management system. Secrets should be stored in a secret management system to ensure the security of the application.