Secrets Management

Topic Objectives

In this topic we will discuss:

  • Secrets and GitOps

    • Understand the challenges around secret material and GitOps

    • Understand the tradeoffs between encrypted secrets vs. references to secrets

  • Vault and External Secrets Operator

    • Get a high level picture of HashiCorp Vault and the External Secrets Operator

  • Secrets Loading

    • How secrets are loaded out of band into the Vault

Secrets Management vs. GitOps

  • GitOps’ entire premise is to use Git as the source of truth for infrastructure and application configuration

  • Automation is in place (ArgoCD) to translate Git’s source of truth into infrastructure applications inside OpenShift

  • Storing confidential data (passwords, private keys, secrets, authentication tokens, …) in Git is fundamentally a security vulnerability and should be avoided (even if the Git repository is private and access control is in place)

  • Once confidential data is out in clear-text (or in some reversible form), it has to be considered as compromised

Approaches

  • There are two fundamental approaches to manage secret material within a GitOps context

  • Encrypted Secrets stored inside Git repositories

  • References to Secrets stored inside Git repositories and the actual secret is stored somewhere else

Encrypted Secrets

These projects provide an easy way to encrypt and decrypt the secrets, and make sure that only authorized users can access them. The encryption method and key management should be considered carefully as they are important to ensure the security of the secrets.

You should evaluate and choose the right project that fits your specific use case and requirements.

References to Secrets

This approach requires two main parts: