Alex Soto
Securing Secrets in the GitOps era
#1about 6 minutes
Defining secrets and the layers of security
Secrets are defined using analogies from music to illustrate that security is built in layers, like an onion, with no single silver bullet solution.
#2about 8 minutes
How GitOps streamlines the application delivery process
GitOps is presented as a DevOps methodology where Git serves as the single source of truth for both application code and infrastructure configuration.
#3about 4 minutes
The risk of exposing credentials in Git repositories
A live demo with Argo CD highlights the common mistake of committing plain text credentials and explains why Kubernetes' base64 encoding is not a secure solution.
#4about 8 minutes
Using Sealed Secrets to safely store secrets in Git
The Sealed Secrets project provides a way to encrypt Kubernetes secret manifests before committing them to a public or private Git repository using a public/private key pair.
#5about 6 minutes
The vulnerability of unencrypted secrets within etcd
Even with Sealed Secrets, decrypted secrets are stored in plain text in etcd, creating a vulnerability that can be addressed with Kubernetes' encryption-at-rest feature.
#6about 5 minutes
Integrating an external KMS for robust etcd encryption
To improve on native encryption-at-rest, a Key Management System (KMS) plugin offloads encryption to an external service like HashiCorp Vault, separating keys from the cluster.
#7about 11 minutes
Eliminating secret exposure with direct memory injection
The most secure approach involves applications fetching secrets directly from a secret store like Vault at runtime, holding them only in memory to avoid exposure via files or environment variables.
#8about 11 minutes
Resources and Q&A on modern secrets management
Recommended books are shared, followed by a Q&A covering DevSecOps culture, centralized vs. distributed secrets, and local development workflows.
Related jobs
Jobs that call for the skills explored in this talk.
Team Lead DevOps (m/w/d)
Rhein-Main-Verkehrsverbund Servicegesellschaft mbH
Frankfurt am Main, Germany
Senior
Matching moments
40:22 MIN
Q&A on GitOps secret management practices
Securing secrets in the GitOps Era
12:32 MIN
Encrypting secrets in Git with Sealed Secrets
Securing secrets in the GitOps Era
42:23 MIN
Q&A: GitOps, CI tools, and security management
GitOps: The past, present and future
07:34 MIN
The security risk of storing secrets in Git
Securing secrets in the GitOps Era
41:45 MIN
Key takeaways for securing your application pipeline
Securing Your Web Application Pipeline From Intruders
30:56 MIN
Securing workflows with secrets and best practices
CI/CD with Github Actions
00:19 MIN
Introduction to GitOps and the talk agenda
Get ready for operations by pull requests
38:03 MIN
Integrating external secret managers into Kubernetes
Securing secrets in the GitOps Era
Featured Partners
Related Videos
58:52Securing secrets in the GitOps Era
Davide Imola
36:33Best Practices for Using GitHub Secrets
Marcel Lupo
56:06Stop Committing Your Secrets - GIt Hooks To The Rescue!
Dwayne McDaniel
30:07External Secrets Operator: the secrets management toolbox for self-sufficient teams
Moritz Johner
33:20DevSecOps: Security in DevOps
Aarno Aukia
29:50Real-World Security for Busy Developers
Kevin Lewis
50:02Get ready for operations by pull requests
Liviu Costea
45:58A Practitioners Guide to GitOps - Introduction, Principles and Implementation
Thomas Schütz
From learning to earning
Jobs that call for the skills explored in this talk.
DevOps Engineer – Kubernetes & Cloud (m/w/d)
epostbox epb GmbH
Berlin, Germany
Intermediate
Senior
DevOps
Kubernetes
Cloud (AWS/Google/Azure)
Implementing DevOps Solutions and Practices using Cisco Platforms Schulung (DEVOPS)
Incas Gmbh
GIT
Bash
Linux
DevOps
Python
+3