Alex Soto

Securing Secrets in the GitOps era

Your Kubernetes secrets are just base64 encoded, not encrypted. Learn a multi-layered strategy to truly secure them in a GitOps workflow.

Securing Secrets in the GitOps era
#1about 6 minutes

Defining secrets and the layers of security

Secrets are defined using analogies from music to illustrate that security is built in layers, like an onion, with no single silver bullet solution.

#2about 8 minutes

How GitOps streamlines the application delivery process

GitOps is presented as a DevOps methodology where Git serves as the single source of truth for both application code and infrastructure configuration.

#3about 4 minutes

The risk of exposing credentials in Git repositories

A live demo with Argo CD highlights the common mistake of committing plain text credentials and explains why Kubernetes' base64 encoding is not a secure solution.

#4about 8 minutes

Using Sealed Secrets to safely store secrets in Git

The Sealed Secrets project provides a way to encrypt Kubernetes secret manifests before committing them to a public or private Git repository using a public/private key pair.

#5about 6 minutes

The vulnerability of unencrypted secrets within etcd

Even with Sealed Secrets, decrypted secrets are stored in plain text in etcd, creating a vulnerability that can be addressed with Kubernetes' encryption-at-rest feature.

#6about 5 minutes

Integrating an external KMS for robust etcd encryption

To improve on native encryption-at-rest, a Key Management System (KMS) plugin offloads encryption to an external service like HashiCorp Vault, separating keys from the cluster.

#7about 11 minutes

Eliminating secret exposure with direct memory injection

The most secure approach involves applications fetching secrets directly from a secret store like Vault at runtime, holding them only in memory to avoid exposure via files or environment variables.

#8about 11 minutes

Resources and Q&A on modern secrets management

Recommended books are shared, followed by a Q&A covering DevSecOps culture, centralized vs. distributed secrets, and local development workflows.

Related jobs
Jobs that call for the skills explored in this talk.

test

Milly
Vienna, Austria

Intermediate

test

Milly
Vienna, Austria

Intermediate

Matching moments

Encrypting secrets in Git with Sealed Secrets
12:32 MIN

Encrypting secrets in Git with Sealed Secrets

Securing secrets in the GitOps Era

Q&A on GitOps secret management practices
40:22 MIN

Q&A on GitOps secret management practices

Securing secrets in the GitOps Era

The security risk of storing secrets in Git
07:34 MIN

The security risk of storing secrets in Git

Securing secrets in the GitOps Era

Q&A: GitOps, CI tools, and security management
42:23 MIN

Q&A: GitOps, CI tools, and security management

GitOps: The past, present and future

Key takeaways for securing your application pipeline
41:45 MIN

Key takeaways for securing your application pipeline

Securing Your Web Application Pipeline From Intruders

Securely handing over credentials and application secrets
28:35 MIN

Securely handing over credentials and application secrets

SRE Methods In an Agency Environment

Understanding the fundamentals of GitHub Secrets
00:35 MIN

Understanding the fundamentals of GitHub Secrets

Best Practices for Using GitHub Secrets

Securing workflows with secrets and best practices
30:56 MIN

Securing workflows with secrets and best practices

CI/CD with Github Actions

Featured Partners

Related Videos

See all videos
Securing secrets in the GitOps Era58:52

Securing secrets in the GitOps Era

Davide Imola

Best Practices for Using GitHub Secrets36:33

Best Practices for Using GitHub Secrets

Marcel Lupo

External Secrets Operator: the secrets management toolbox for self-sufficient teams30:07

External Secrets Operator: the secrets management toolbox for self-sufficient teams

Moritz Johner

Stop Committing Your Secrets - GIt Hooks To The Rescue!56:06

Stop Committing Your Secrets - GIt Hooks To The Rescue!

Dwayne McDaniel

DevSecOps: Security in DevOps33:20

DevSecOps: Security in DevOps

Aarno Aukia

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Get ready for operations by pull requests50:02

Get ready for operations by pull requests

Liviu Costea

Enabling automated 1-click customer deployments with built-in quality and security44:40

Enabling automated 1-click customer deployments with built-in quality and security

Christoph Ruggenthaler

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
CH
Chris Heilmann
Dev Digest 129 - Now that's what I call private data!
News and ArticlesAfter declaring Google a monopoly there are now considerations to force it to break up - isn't that what the whole Alphabet thing was about? In the last act of Crowdstrike coverage here, they released a deep analysis of the outage th...
Dev Digest 129 - Now that's what I call private data!
CH
Chris Heilmann
Dev Digest 134 - Where pixels sing?
News and ArticlesWeAreDevelopers LIVE Data and Security Day is on Wednesday, 25/09/2024. Learn about OPC UA Updates, Best Practices for Using GitHub Secrets, Passwordless Web 1.5, Emerging AI Security Risks, Data Privacy in LLMs and get a chance to t...
Dev Digest 134 - Where pixels sing?

From learning to earning

Jobs that call for the skills explored in this talk.

DevSecOps

DevSecOps

Devsecops

40-60K
DevOps
Docker
Jenkins
Openshift
+3