SlideShare a Scribd company logo

Secrets Management and Delivery to Kubernetes Pods

S
Satish Devarapalli

The document discusses a secrets management and delivery pipeline for Kubernetes pods, focusing on managing application secrets like API keys and credentials securely. It outlines the use of Mozilla SOPS for encryption, key management strategies, and minimizing exposure of secrets in CI/CD workflows. Additionally, it emphasizes the importance of managing secrets as code, implementing centralized access, and limiting key access based on environment needs.

Technology
1 of 27
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Secrets Management and Delivery to Kubernetes Pods Satish Devarapalli
$whoami Satish Devarapalli Cloud Platform Architect @devasat https://www.linkedin.com/in/satish-devarapalli-48a82a5/
Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
Project Intro Product auth 𝞵 svc𝞵 svc ... Application Secrets ● Database Credentials ● AWS Credentials ● API Keys ● License Keys ● Encryption Keys CI/CD Secrets ● AWS Credentials ● Kube Config Files ● Encryption Keys
● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ● Encryption keys management ○ Different encryption keys for environments ○ Centralized access → do not store keys locally ○ Audit usage ○ Limit key access to individual members based on environment ○ Grant and revoke access easily ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ○ Secrets should not be left in plain text format on build success or failure ○ Store encrypted kube config files and AWS credentials in Git ● Limit secrets access to microservices that use it Secrets Management Requirements
Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
Secrets Delivery Pipeline AWS KMSdec enc Mozilla SOPS + Dev QA Prod AWS KMS decenc Mozilla SOPS + Jenkins job runs inside a container Helm install Helm install Helm install Helm chart versions: env-config-1.0.0-101-af837dh env-config-1.0.0-102-x7jwy62
Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
AWS KMS - Envelope Encryption Picture source: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html
Mozilla Secret OPerationS (SOPS) ~ > export SOPS_KMS_ARN="arn:aws:kms:us-east-1:212121:key/3434-c5f1-4040 ~ > sops -e secret-values.dec.yaml > secret-values.enc.yaml Picture source: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html SOPS Generates 256-bit data key secret-values .dec.yaml SOPS_KMS_ARN secret-values .enc.yaml AWS Boundary
Mozilla Secret OPerationS (SOPS) secret-values.dec.yaml secret-values.enc.yaml
Mozilla Secret OPerationS (SOPS) secret-values.enc.yaml = data + encryption information Data Encryption Key ID Base64 encoded value of Encrypted Data key Message Authentication Code Prevents File Tampering JSON and YAML keys are not encrypted
Mozilla SOPS - Key Providers Microsoft Azure Key Vault SOPS_AZURE_KEYVAULT_URL Google Cloud KMS SOPS_GCP_KMS_IDS AWS KMS SOPS_KMS_ARN PGP SOPS_PGP_FP
● Supported types: JSON, YAML and Binary ● Special support for JSON and YAML files ○ Encrypts only the values ○ File extension is used to determine the type ■ secret-values.yaml.enc → binary file ■ Secret-values.enc.yaml → yaml file ○ Some YAML types (anchors, streams, top-level arrays) are not supported Mozilla SOPS - File Types Input file is treated as blob Key fingerprint Encrypted data key
Mozilla SOPS - Multiple Master Keys Shared Services Global Master Key DEV QA PROD DEV QA PROD Business Unit 1 Business Unit 2Multiple Master Key Uses: - Encryption key in master AWS account - Encryption keys in different regions - Encryption keys in different key providers (hybrid cloud) - PGP key (stored offline)
Mozilla SOPS - .sops.yaml Filename path passed to sops is matched against this regex dev/secret-values.enc.yaml ✔ dev/secret-values.dec.yaml ✔ dev/aws-credentials.dec ✔ dev/aws-credentials ❌
Mozilla SOPS - .sops.yaml At root directory ~> sops -i -e dev/secret-values.enc.yaml ✔ ~> cd dev && sops -i -e secret-values.enc.yaml ❌
Option 1: in-place edit ● Data key doesn’t change ● Only the key value that was modified appears in the git diff Mozilla SOPS - Edit Files ~ > export EDITOR=vi ~ > sops -i secret-values.enc.yaml
Option 2: decrypt and encrypt ● Data key changes ● All key values appears to have changed in git diff Mozilla SOPS - Edit Files ~ > #Decrypt ~ > sops -d secret-values.enc.yaml > secret-values.dec.yaml ~ > #Encrypt ~ > sops -e secret-values.dec.yaml > secret-values.enc.yaml
Mozilla SOPS - Diffs in Cleartext in Git ~ > cat ~/.gitattributes *.enc diff=sopsdiffer *.enc.yaml diff=sopsdiffer *.enc.json diff=sopsdiffer .gitattributes ~ > grep -A1 sops ~/.gitconfig [diff "sopsdiffer"] textconv = "sops -d" .gitconfig In my testing, this worked if .sops.yaml is at the root directory of the git project and regex expression is based on the filename but not directory name dev/secret-values.enc.yaml → dev-secret-values.enc.yaml
Mozilla SOPS - Demo ● Install SOPS ● Create and export GPG keys ● Set up .sops.yaml, folder per environment and encrypt input file ● In-place edit
● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ○ Secrets should not be left in plain text format on build success or failure ○ Store encrypted kube config files and AWS credentials in Git ● Limit secrets access to microservices that use it Secrets Management Requirements
Jenkins /jenkins/job1/ws Memory Jenkins job in a container /build /ws tmpfs bind ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes → AWS KMS ○ Secrets should not be left in plain text format on build success or failure → Docker tmpfs ○ Store encrypted kube config files and AWS credentials in Git → AWS KMS Decrypted files are stored only in /build directory Jenkins Access: - ECR - KMS - S3
● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ✔ ○ Secrets should not be left in plain text format on build success or failure ✔ ○ Store encrypted kube config files and AWS credentials in Git ✔ ● Limit secrets access to microservices that use it Secrets Management Requirements
Limit Secrets Access to Microservices Separate Secret object for each credential + {{ if .Values.secret1Enabled }} - name: {{ .Values.secret.secret1 }} secret: secretName: {{ .Values.secret.secret1 }} {{ end }} +secret1Enabled: true secret2Enabled: false Helm’s values.yaml Helm’s Deployment.yaml
● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ✔ ○ Secrets should not be left in plain text format on build success or failure ✔ ○ Store encrypted kube config files and AWS credentials in Git ✔ ● Limit secrets access to microservices that use it ✔ Secrets Management Requirements
Questions ?

More Related Content

What's hot (20)

PDF
Multi-Cluster Service Mesh with Linkerd
Joe Searcy
 
PDF
Sql Injection 0wning Enterprise
n|u - The Open Security Community
 
PDF
Faster packet processing in Linux: XDP
Daniel T. Lee
 
PDF
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
PPTX
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...
KCDItaly
 
PDF
Deep Dive into Kubernetes - Part 1
Imesh Gunaratne
 
PDF
(Draft) Kubernetes - A Comprehensive Overview
Bob Killen
 
PPTX
Docker 101 - High level introduction to docker
Dr Ganesh Iyer
 
PPTX
Kubernetes & Google Kubernetes Engine (GKE)
Akash Agrawal
 
PDF
Introduction to Kubernetes Workshop
Bob Killen
 
PPTX
Introduction to docker
Frederik Mogensen
 
PDF
Linux Internals - Part II
Emertxe Information Technologies Pvt Ltd
 
PDF
Locking down your Kubernetes cluster with Linkerd
Buoyant
 
PPTX
Deploying Microservices - Makefiles, K8S Config Templates, Git Submodules, He...
Satish Devarapalli
 
PDF
以 eBPF 構建一個更為堅韌的 Kubernetes 叢集
HungWei Chiu
 
PPTX
Introduction to Kubernetes
Vishal Biyani
 
PDF
kubernetes - minikube - getting started
Munish Mehta
 
PDF
Introduction to Kubernetes with demo
Opsta
 
PDF
Container Runtime Security with Falco
Michael Ducy
 
ODP
Архитектура программных систем на Node.js
Timur Shemsedinov
 
Multi-Cluster Service Mesh with Linkerd
Joe Searcy
 
Sql Injection 0wning Enterprise
n|u - The Open Security Community
 
Faster packet processing in Linux: XDP
Daniel T. Lee
 
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...
KCDItaly
 
Deep Dive into Kubernetes - Part 1
Imesh Gunaratne
 
(Draft) Kubernetes - A Comprehensive Overview
Bob Killen
 
Docker 101 - High level introduction to docker
Dr Ganesh Iyer
 
Kubernetes & Google Kubernetes Engine (GKE)
Akash Agrawal
 
Introduction to Kubernetes Workshop
Bob Killen
 
Introduction to docker
Frederik Mogensen
 
Linux Internals - Part II
Emertxe Information Technologies Pvt Ltd
 
Locking down your Kubernetes cluster with Linkerd
Buoyant
 
Deploying Microservices - Makefiles, K8S Config Templates, Git Submodules, He...
Satish Devarapalli
 
以 eBPF 構建一個更為堅韌的 Kubernetes 叢集
HungWei Chiu
 
Introduction to Kubernetes
Vishal Biyani
 
kubernetes - minikube - getting started
Munish Mehta
 
Introduction to Kubernetes with demo
Opsta
 
Container Runtime Security with Falco
Michael Ducy
 
Архитектура программных систем на Node.js
Timur Shemsedinov
 

Similar to Secrets Management and Delivery to Kubernetes Pods (20)

PPTX
FTRD - Can Kubernetes Keep a Secret?
Soluto
 
PDF
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
MichaelOLeary82
 
PDF
Knolx_ Sealed Secrets
Knoldus Inc.
 
PDF
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
 
PDF
Commit 2024 Secrets Management Made Easy
Alfredo García Lavilla
 
PDF
Sharing secret keys in Docker containers and K8s
Jose Manuel Ortega Candel
 
PDF
Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernet...
Alfredo García Lavilla
 
PDF
Secrets acrosscloudk8s
Jhonnatan Gil
 
PPTX
Managing Secrets in Production
Erik Osterman
 
PPTX
Can Kubernetes Keep a Secret? - Women in AppSec Webinar
Soluto
 
PDF
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
PDF
Kubernetes Webinar - Using ConfigMaps & Secrets
Janakiram MSV
 
PDF
Kubernetes Secrets Management Meap V06 1 All 8 Chapters Alex Soto Bueno Andre...
cawulineriku
 
PDF
Kubernetes Secrets Management on Production with Demo
Opsta
 
PDF
Shifting security left simplifying security for k8s open shift environments
LibbySchulze
 
PDF
Your (container) secret's safe with me
Liz Rice
 
PPTX
Understanding Sealed Secrets Presentation
Knoldus Inc.
 
PDF
Kubernetes Sealed secrets
Sebastien Goasguen
 
PDF
Secrets in Kubernetes
Qvik
 
PDF
Secrets in Kubernetes
Jerry Jalava
 
FTRD - Can Kubernetes Keep a Secret?
Soluto
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
MichaelOLeary82
 
Knolx_ Sealed Secrets
Knoldus Inc.
 
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
 
Commit 2024 Secrets Management Made Easy
Alfredo García Lavilla
 
Sharing secret keys in Docker containers and K8s
Jose Manuel Ortega Candel
 
Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernet...
Alfredo García Lavilla
 
Secrets acrosscloudk8s
Jhonnatan Gil
 
Managing Secrets in Production
Erik Osterman
 
Can Kubernetes Keep a Secret? - Women in AppSec Webinar
Soluto
 
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Kubernetes Webinar - Using ConfigMaps & Secrets
Janakiram MSV
 
Kubernetes Secrets Management Meap V06 1 All 8 Chapters Alex Soto Bueno Andre...
cawulineriku
 
Kubernetes Secrets Management on Production with Demo
Opsta
 
Shifting security left simplifying security for k8s open shift environments
LibbySchulze
 
Your (container) secret's safe with me
Liz Rice
 
Understanding Sealed Secrets Presentation
Knoldus Inc.
 
Kubernetes Sealed secrets
Sebastien Goasguen
 
Secrets in Kubernetes
Qvik
 
Secrets in Kubernetes
Jerry Jalava
 
Ad

Recently uploaded (20)

PPTX
python advanced data structure dictionary with examples python advanced data ...
sprasanna11
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PDF
Generative AI vs Predictive AI-The Ultimate Comparison Guide
Lily Clark
 
PDF
OpenInfra ID 2025 - Are Containers Dying? Rethinking Isolation with MicroVMs.pdf
Muhammad Yuga Nugraha
 
PPTX
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
PDF
introduction to computer hardware and sofeware
chauhanshraddha2007
 
PDF
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
SalesForce Managed Services Benefits (1).pdf
TechForce Services
 
PDF
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PPTX
Using Google Data Studio (Looker Studio) to Create Effective and Easy Data Re...
Orage Technologies
 
python advanced data structure dictionary with examples python advanced data ...
sprasanna11
 
The Future of Artificial Intelligence (AI)
Mukul
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
Generative AI vs Predictive AI-The Ultimate Comparison Guide
Lily Clark
 
OpenInfra ID 2025 - Are Containers Dying? Rethinking Isolation with MicroVMs.pdf
Muhammad Yuga Nugraha
 
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
introduction to computer hardware and sofeware
chauhanshraddha2007
 
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
SalesForce Managed Services Benefits (1).pdf
TechForce Services
 
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Using Google Data Studio (Looker Studio) to Create Effective and Easy Data Re...
Orage Technologies
 
Ad

Secrets Management and Delivery to Kubernetes Pods

  • 1. Secrets Management and Delivery to Kubernetes Pods Satish Devarapalli
  • 2. $whoami Satish Devarapalli Cloud Platform Architect @devasat https://www.linkedin.com/in/satish-devarapalli-48a82a5/
  • 3. Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
  • 4. Project Intro Product auth 𝞵 svc𝞵 svc ... Application Secrets ● Database Credentials ● AWS Credentials ● API Keys ● License Keys ● Encryption Keys CI/CD Secrets ● AWS Credentials ● Kube Config Files ● Encryption Keys
  • 5. ● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ● Encryption keys management ○ Different encryption keys for environments ○ Centralized access → do not store keys locally ○ Audit usage ○ Limit key access to individual members based on environment ○ Grant and revoke access easily ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ○ Secrets should not be left in plain text format on build success or failure ○ Store encrypted kube config files and AWS credentials in Git ● Limit secrets access to microservices that use it Secrets Management Requirements
  • 6. Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
  • 7. Secrets Delivery Pipeline AWS KMSdec enc Mozilla SOPS + Dev QA Prod AWS KMS decenc Mozilla SOPS + Jenkins job runs inside a container Helm install Helm install Helm install Helm chart versions: env-config-1.0.0-101-af837dh env-config-1.0.0-102-x7jwy62
  • 8. Agenda ● Project Intro ● Secrets Delivery Pipeline View ● Mozilla SOPS (Secret OPerationS) ● Questions
  • 9. AWS KMS - Envelope Encryption Picture source: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html
  • 10. Mozilla Secret OPerationS (SOPS) ~ > export SOPS_KMS_ARN="arn:aws:kms:us-east-1:212121:key/3434-c5f1-4040 ~ > sops -e secret-values.dec.yaml > secret-values.enc.yaml Picture source: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html SOPS Generates 256-bit data key secret-values .dec.yaml SOPS_KMS_ARN secret-values .enc.yaml AWS Boundary
  • 11. Mozilla Secret OPerationS (SOPS) secret-values.dec.yaml secret-values.enc.yaml
  • 12. Mozilla Secret OPerationS (SOPS) secret-values.enc.yaml = data + encryption information Data Encryption Key ID Base64 encoded value of Encrypted Data key Message Authentication Code Prevents File Tampering JSON and YAML keys are not encrypted
  • 13. Mozilla SOPS - Key Providers Microsoft Azure Key Vault SOPS_AZURE_KEYVAULT_URL Google Cloud KMS SOPS_GCP_KMS_IDS AWS KMS SOPS_KMS_ARN PGP SOPS_PGP_FP
  • 14. ● Supported types: JSON, YAML and Binary ● Special support for JSON and YAML files ○ Encrypts only the values ○ File extension is used to determine the type ■ secret-values.yaml.enc → binary file ■ Secret-values.enc.yaml → yaml file ○ Some YAML types (anchors, streams, top-level arrays) are not supported Mozilla SOPS - File Types Input file is treated as blob Key fingerprint Encrypted data key
  • 15. Mozilla SOPS - Multiple Master Keys Shared Services Global Master Key DEV QA PROD DEV QA PROD Business Unit 1 Business Unit 2Multiple Master Key Uses: - Encryption key in master AWS account - Encryption keys in different regions - Encryption keys in different key providers (hybrid cloud) - PGP key (stored offline)
  • 16. Mozilla SOPS - .sops.yaml Filename path passed to sops is matched against this regex dev/secret-values.enc.yaml ✔ dev/secret-values.dec.yaml ✔ dev/aws-credentials.dec ✔ dev/aws-credentials ❌
  • 17. Mozilla SOPS - .sops.yaml At root directory ~> sops -i -e dev/secret-values.enc.yaml ✔ ~> cd dev && sops -i -e secret-values.enc.yaml ❌
  • 18. Option 1: in-place edit ● Data key doesn’t change ● Only the key value that was modified appears in the git diff Mozilla SOPS - Edit Files ~ > export EDITOR=vi ~ > sops -i secret-values.enc.yaml
  • 19. Option 2: decrypt and encrypt ● Data key changes ● All key values appears to have changed in git diff Mozilla SOPS - Edit Files ~ > #Decrypt ~ > sops -d secret-values.enc.yaml > secret-values.dec.yaml ~ > #Encrypt ~ > sops -e secret-values.dec.yaml > secret-values.enc.yaml
  • 20. Mozilla SOPS - Diffs in Cleartext in Git ~ > cat ~/.gitattributes *.enc diff=sopsdiffer *.enc.yaml diff=sopsdiffer *.enc.json diff=sopsdiffer .gitattributes ~ > grep -A1 sops ~/.gitconfig [diff "sopsdiffer"] textconv = "sops -d" .gitconfig In my testing, this worked if .sops.yaml is at the root directory of the git project and regex expression is based on the filename but not directory name dev/secret-values.enc.yaml → dev-secret-values.enc.yaml
  • 21. Mozilla SOPS - Demo ● Install SOPS ● Create and export GPG keys ● Set up .sops.yaml, folder per environment and encrypt input file ● In-place edit
  • 22. ● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ○ Secrets should not be left in plain text format on build success or failure ○ Store encrypted kube config files and AWS credentials in Git ● Limit secrets access to microservices that use it Secrets Management Requirements
  • 23. Jenkins /jenkins/job1/ws Memory Jenkins job in a container /build /ws tmpfs bind ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes → AWS KMS ○ Secrets should not be left in plain text format on build success or failure → Docker tmpfs ○ Store encrypted kube config files and AWS credentials in Git → AWS KMS Decrypted files are stored only in /build directory Jenkins Access: - ECR - KMS - S3
  • 24. ● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ✔ ○ Secrets should not be left in plain text format on build success or failure ✔ ○ Store encrypted kube config files and AWS credentials in Git ✔ ● Limit secrets access to microservices that use it Secrets Management Requirements
  • 25. Limit Secrets Access to Microservices Separate Secret object for each credential + {{ if .Values.secret1Enabled }} - name: {{ .Values.secret.secret1 }} secret: secretName: {{ .Values.secret.secret1 }} {{ end }} +secret1Enabled: true secret2Enabled: false Helm’s values.yaml Helm’s Deployment.yaml
  • 26. ● Manage secrets as code → check-in, build and deploy ○ Secrets should be encrypted before check-in ✔ ● Encryption keys management ○ Different encryption keys for environments ✔ ○ Centralized access → do not store key locally ✔ ○ Audit usage ✔ ○ Limit key access to individual members based on environment ✔ ○ Grant and revoke access easily ✔ ● Jenkins → minimal configuration on Jenkins nodes ○ Do not store encryption keys on Jenkins master or nodes ✔ ○ Secrets should not be left in plain text format on build success or failure ✔ ○ Store encrypted kube config files and AWS credentials in Git ✔ ● Limit secrets access to microservices that use it ✔ Secrets Management Requirements