Secret managerΒ #17
Description
Secrets need to support
- control cluster
- downstream clusters
- key encryption rotation
- value needs to be backed-up or stored for DR
- value can be rotated in 2 ways 1) change the value 2) create a second copy for rotation
Quick notes
secrets need to be stored in K8s (how the applications and logic access their secrets)
- K8s Secret - good RBAC poor out-of-the-box encryption (can be set up tho) - everything supports this
- Side Car - pulls from a KMS on the fly, input into a in-memory volume (super secure, apps need to be aware of rotation)
- CSI - treats the KMS as a memory volume
ways to handle secrets
- Vault / KMS - another component to manage, but does all the super hard stuff for you (CSI or Side Car)
- Sealed Secrets / Git secrets - not as secure, as the secret will ultimately be stored as a K8s Secret, but pretty solid, real challenge is multi-cluster
design ideas
- the Rotation should be handled by the modules that use them
- secrets should be declared as a disired state, i.e. i want a secret which is 30 chars with nums and special chars (this will be used to create a secret by convention)
consider Hashi Vault + the library below
