Secrets Managment in a GitOps Era: Or, how to avoid your data becoming ...

Going to transition from Meetup to my own events page. https://www.agilicus.com/events/
Please consider going there and subscribing via RSS or webpush or email.

---

We’ve all been there. We have a thing we did by hand, it gave us back an API key or a service account.

We have another thing that consumes it. Maybe its in a CI pipeline. Maybe its a deploy step.

So, we did the natural thing, commited the data to git. A short time later we found our data buckets were public, our nodes were crypto-mining, and Google Maps API key cost crossed over the price of a bitcoin.

What are (some of) the solutions?

Vault style technologies (Google Secrets Manager, Hashi Vault, etc)
sops-style solutions (encrypt it and commit it to git)
chatops flows (systems asks for secret, waiting for a human)
panic and despair
In this presentation I will go through how we (Agilicus) use Google Secrets Manager and SOPS with Kustomize, allowing us to have GitOps with security. Use cases include binary signing in The Update Framework, and Kubernetes Secrets.

Come One, Come All