7 Secrets

This chapter covers

Kubernetes Secrets
GitOps strategies for managing Secrets
Tooling for managing Secrets

Kubernetes provides a mechanism allowing users to store small bits of sensitive information in a protected resource object, called a Secret. A Secret is anything that you want to tightly control access to. Common examples of data you would want to store in a Secret include things like username and password credentials, API keys, SSH keys, and TLS certificates. In this chapter, you will learn about different Secret management strategies when using a GitOps system. You will also have a brief introduction to several different tools that can be used for storing and managing Secrets.

We recommend you read chapters 1 and 2 before reading this chapter.

7.1 Kubernetes Secrets

A simple Kubernetes Secret is a data structure composed of three pieces of information:

The name of the Secret
The type of the Secret (optional)
A map of field names to sensitive data, encoded in Base64

A basic Secret looks like the following.

Listing 7.1 example-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: login-credentials
type: Opaque                  #1
data:
  username: YWRtaW4=          #2
  password: UEA1NXcwcmQ=      #3

7 Secrets

This chapter covers

7.1 Kubernetes Secrets

Listing 7.1 example-secret.yaml

7.1.1 Why use Secrets?

7.1.2 How to use Secrets

7.2 GitOps and Secrets

7.2.1 No encryption

7.2.2 Distributed Git repos

7.2.3 No granular (file-level) access control

7.2.4 Insecure storage

7.2.5 Full commit history

7.3 Secrets management strategies

7.3.1 Storing Secrets in Git

7.3.2 Baking Secrets into the container image