You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/learn/getting-started-secret-management.adoc
+63-28Lines changed: 63 additions & 28 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,53 +18,88 @@ Secrets refer to any piece of sensitive information that should not be exposed p
18
18
19
19
A simple way to think of secrets is as anything that security teams or responsible system administrators would ensure stays protected and not published in a public space.
20
20
21
-
== Characteristics and Importance
22
21
Secrets are crucial for the functioning of applications for example database passwords or cache keys. Without access to these secrets, applications may fail or operate in a significantly impaired manner.
23
22
24
23
Secrets often vary between different deployments of the same application for example separate load balancer certificates for different instances. Using the same secret across multiple deployments is generally discouraged as it increases the risk of exposure
25
24
26
25
Applications often need secrets to run correctly, making them indispensable. Removing or mishandling secrets can disrupt operations.
27
26
28
-
== Security and Management Concerns
29
-
Directly storing secrets in Git repositories is problematic as this can lead to accidental exposure. Secrets should be managed securely and kept out of source control systems.
30
-
Secrets can come in many formats and may have various naming conventions (e.g., usernames and passwords might have different labels). Applications can have strict or specific requirements for how secrets are presented, necessitating flexibility in their management.
27
+
== How Validated Patterns implements secrets management
31
28
32
-
== Challenges in Handling Secrets
33
-
Secrets must be handled carefully to prevent exposure, especially in a GitOps framework where the desired state is stored as code. While storing non-sensitive information (e.g., container images, version numbers) in a Git repository is safe, secrets require additional security measures.
34
-
Administrators must ensure that different secret formats are managed properly and can be adapted to meet the specific needs of various applications.
29
+
Validated Patterns supports the tokenization approach for secret management. Tokenization involves keeping actual secret values out of version control (for example git) by using tokens or references that can pull secrets from secure storage during runtime. The real secrets are pulled from an external storage system at runtime.
35
30
36
-
== Configuring secrets
31
+
This approach requires integration with external secret management systems some examples of which are HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and CyberArk's Conjur.
37
32
38
-
Multicloud GitOps is a foundational pattern that demonstrates GitOps principles for managing applications across multiple clusters. It provides:
33
+
The External Secrets Operator (ESO) is integral to the validated patterns framework, enabling secure secret management by fetching secrets from various secret stores and projecting them into Kubernetes namespaces. ESO supports integration with providers such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP, IBM Secrets Manager, and others.
39
34
40
-
* A GitOps framework using ArgoCD
41
-
* Infrastructure-as-Code practices
42
-
* Multi-cluster management capabilities
43
-
* Template for secure secret management
35
+
ESO
44
36
45
-
The Multicloud GitOps pattern is recommended as your first pattern because:
46
-
47
-
. It establishes core GitOps practices
48
-
. Provides a minimal but complete implementation
49
-
. Serves as a foundation for other patterns
50
-
. Demonstrates key validated patterns concepts
37
+
* Supports a range of secret providers, ensuring no vendor lock-in.
38
+
* Keeps secrets out of version-controlled repositories, using token references in Git instead.
39
+
* Allows teams to manage secrets securely while maintaining efficient Git workflows.
51
40
52
41
[NOTE]
53
42
====
54
-
Other patterns build upon these concepts, making this an ideal starting point for your validated patterns journey.
43
+
As of December 12, 2023, ESO is not officially supported by Red Hat as a product.
55
44
====
56
45
57
-
== Deploying the Multicloud GitOps pattern
46
+
ESO's custom file format and utilities streamlines secret management by allowing file references and supporting encrypted secret storage. The design prioritizes security through multi-layer encryption and simplifies key management. In particular the ini key type is especially helpful for handling AWS credentials, where mismanagement could lead to unauthorized use and potential financial or operational issues.
47
+
48
+
Validated Patterns primary backend secret store is HashiCorp Vault It acts as a centralized service for securely managing secrets, such as passwords, API keys, and certificates.
49
+
50
+
Unlike other secret management systems tied to specific cloud providers for example AWS Secrets Manager or Azure Key Vault, Vault can be deployed across different clouds, on bare-metal systems, and in hybrid environments. This cross-platform support made it a popular and practical choice for maintaining a consistent secrets management strategy.
58
51
52
+
== Configuring Secrets
59
53
54
+
Secret management in validated patterns follows GitOps best practices while maintaining security. Here's how to configure your secrets:
0 commit comments