mozilla-iam / iam-infra

This repo contains the resources and configuration needed to create the Mozilla IAM infrastructure
Mozilla Public License 2.0
13 stars 13 forks source link

Kubernetes secrets management #132

Closed the-smooth-operator closed 5 years ago

the-smooth-operator commented 5 years ago

Currently Kubernetes secrets are not version controlled and managed manually. As we are moving the cluster to a more production ready state, this issue has to be tackled. Let's keep the discussion about possible solutions in this thread.

the-smooth-operator commented 5 years ago

I have been looking at Blackbox developed by StackExchange. Basically it is a CLI tool that uses GPG for encrypting selected files. Seems to be simple and intuitive to use and it fits our needs.

I'm interested in knowing what do you think about it, from your perspective as a developer, administrator, security eng... @fiji-flo @ziegeer @andrewkrug @danielhartnell

ziegeer commented 5 years ago

I was leaning toward Credstash as I like the security of the KMS backend but I'm not sure what the development story is for that so other's experiences will be more important.

Things like transparent git diff concern me as far as leaking secrets.

gdestuynder commented 5 years ago

just as a note: we replaced credstash by directly using parameter store in AWS for CIS

the-smooth-operator commented 5 years ago

IT-SRE has decided to use private git repos + git-crypt to store secrets. However this decision might be revisited in the future. For the moment I've created a new private repo, added all the GPG keys of the IT-SRE team members, and encrypted the few secrets we have. Calling this one done

gdestuynder commented 5 years ago

Another note: we're probably going to replace parameter store by aws secrets now that its a thing, mainly because of threshold/rate limits. Note that it helps you directly, but in case someone read this issue someday :)

the-smooth-operator commented 5 years ago

@gdestuynder thanks for your input. We were also thinking about using AWS secrets, and most likely we will revisit this in few months. I'll come back to you for guidance ;)