7 Secrets


This chapter covers:

  • Kubernetes Secrets
  • GitOps strategies for managing secrets
  • Tooling for managing Secrets

Kubernetes provides a mechanism allowing users to store small bits of sensitive information into a protected resource object, called a Secret. A Secret is anything that you want to tightly control access to. Common examples of data which you would want to store in a Secret include things like username and password credentials, API keys, SSH keys, TLS certificates. In this chapter you will learn about different Secret management strategies when using a GitOps system. You will also have a brief introduction to several different tools that can be used for storing and managing secrets.

We recommend you read chapters 1 and 2 before reading this chapter.

7.1   Kubernetes Secrets

A simple Kubernetes Secret is a simple data structure composed of three pieces of information:

  • The name of the Secret
  • The type of the secret (optional)
  • A map of field names to sensitive data, encoded in base64

A very basic secret looks like the following:

Listing 7.1 example-secret.yaml
apiVersion: v1
kind: Secret
  name: login-credentials
type: Opaque                   #A
  username: YWRtaW4=           #B
  password: UEA1NXcwcmQ=       #C

#A Type of the secret - used to facilitate programmatic handling of secret data

#B The string “admin” base64 encoded

#C The string “P@55w0rd” base64 encoded

7.2   GitOps and Secrets

7.3   Secret Management Strategies

7.3.1   Store Secrets in Git

7.3.2   Bake Secrets into the Container Image

7.3.3   Out-of-Band Management

7.3.4   External Secret Management Systems

7.3.5   Encrypting Secrets in Git

7.3.6   Comparison of Strategies

7.4   Tooling

7.4.1   Hashicorp Vault

7.4.2   Vault Agent Sidecar Injector

7.4.3   Sealed Secrets

7.4.4   Kustomize Secret Generator Plugin

7.5   Summary