Open pfuetz opened 4 years ago
wrichter
commented
4 years ago Bitnami Sealed Secrets use Public/Private Key encryption to encrypt secrets so that they can only be decrypted on the target cluster (who has access to the private key). This allows the secrets to be checked into a public Repo: https://github.com/bitnami-labs/sealed-secrets
wrichter
commented
4 years ago Overview of GitOps Secrets approaches: https://argoproj.github.io/argo-cd/operator-manual/secret-management/ https://github.com/weaveworks/awesome-gitops#secrets
wrichter
commented
4 years ago There seem to be two generic approaches how secrets are handled 1) Using an external key management system (HashiCorp Vault, AWS SecretsManager, ...) and storing a reference to it in Git 2) Encrypting the secrets with a public key, the private key being only available in the target env and storing the encrypted values in Git (Bitnami SealedSecrets, ...)
For the actual implementation there are again two approaches: a) Plugin to the templating mechanism which at manifest creation time renders a Kubernetes Secret Manifest with the actual key b) Custom Resources + Operator which causes a Kubernetes Secret to appear once the CR is instantiated in k8s
1a - External KMS + Templating Plugin
1b - External KMS + Operator
2b - Public/Private Key Encrypted Secrets + Operator
Others
See https://blog.argoproj.io/5-gitops-best-practices-d95cb0cbe9ff Bullet 5
and
https://github.com/kubernetes-sigs/kustomize/blob/fd7a353df6cece4629b8e8ad56b71e30636f38fc/examples/kvSourceGoPlugin.md#secret-values-from-anywhere