Evaluate godaddy/kubernetes-external-secrets

glogiotatidis commented 4 years ago

Installed godaddy/kubernetes-external-secrets with helm in frankfurt eks

$  kubectl create namespace kubernetes-external-secrets
$ helm repo add external-secrets https://godaddy.github.io/kubernetes-external-secrets/
$ helm install kubernetes-external-secrets external-secrets/kubernetes-external-secrets -n "kubernetes-external-secrets"

Created a JSON secret to hold all app secrets

$ aws secretsmanager  create-secret --region us-west-2 --name mozmeao/apps/shynet/password   --secret-string '{"django_secret_key": XXXXX}'

Manually added inline policy for frankfurt nodes to access secrets to IAM Role that ends with 2200000007 /cc @duallain could you please confirm that this is OK to have and code the policy in TF?

Notes:

kubernetes-external-secrets helm chart points to us-west-2 secrets manager by default
we can configure the polling interval of secrets to reduce the cost (by default set to 10sec)

Eval:

It's easy to create secrets on AWS Secrets Manager via CLI or WebConsole
Using external secrets is similar to the k8s build-in secrets. The real question is if we prefer to have secrets to another place / service OR along with the code by using sealed secrets. I think I prefer using Secrets manager (1) to keep all secrets in one place (2) is safer to not expose our secrets in public repos although sealed and ideally we would go away from the current *-config pattern with the private repos.
I prefer having one JSON entry for all app secrets, like the one I created
We can store all secrets in one region and use different keys for secrets that vary on region (e.g. database_url). This way we will avoid secret duplication between two regions.

glogiotatidis commented 4 years ago

Adding a reminder to tear everything down in a month if this doesn't fly.

/remind me in a month

reminders[bot] commented 4 years ago

@glogiotatidis set a reminder for Aug 31st 2020

reminders[bot] commented 4 years ago

:wave: @glogiotatidis,

glogiotatidis commented 3 years ago

We now use external secrets with AWS Secret Manager backend

mozmeao / infra

Evaluate godaddy/kubernetes-external-secrets #1343