Manage Kubernetes Secrets With External Secrets Operator (ESO)

Banzai vault injector

@@oftheriverinthenight I haven't tried it yet. It seems similar to Secrets Store CSI (but limited to Vault). Do you recommend it?

you also may want to use stakater/reloader to rollout restart your apps so they start using the new secret
also, keep an eye to your cloud secrets manager bill as the constant monitor will start adding costs

ArgoCD + Argo Vault Plug-in to external Vault Cluster

@@DevOpsToolkit It depends on the situation, in my curret status (migrate old apps), our first step was to put config in env vars and with Banzai Injector is pretty easy to put in vault an env var inside a gitops repo with this kind of content: ENVAR: "vault:mystorage/myteam/myitem#mykey", you can aso create secrets with another syntax ENVAR: ">>vault:mystorate/myteam/myitemykey". And can also inject iit in the middle of an envar or configmap. But External Secret Operator did not exist when I began migration so at the moment I could not evaluate what's the best solution. For sure I will try External Secret Operator when I have time.

Looking forward to it!!

Have a look over Reloader by stakater :)

@@knelasevero Interesting, thanks!

@mtik000 Using Hashicorp Vault Injector the secrets can be updated dynamically without requiring the pod to be restarted. It monitors the Vault secret for changes and injects the new one into a specific path in the pod (templates are also supported). Works great for me.
I have also tested Secret CSI and worked in the same as Vault Injector (injecting the secret into the POD), but give also the option to create secrets resources inside K8S. But I missed the template option which is a very handy feature (maybe it does and I overlooked).

@@hutgerhauer The part I'm talking about, though, is about getting the application running inside the pod to use the new secret. Our apps generally only load the secrets on startup. I prefer not to have the secret placed anywhere on the pod itself (or in a k8s secret). The applications themselves authenticate with the Vault server using the `jwt` mounted to the pod, then read whatever secrets they need directly from Vault. I think it either scenario (yours or mine), the application needs to understand the secret has changed.

@@mtik000 got you. Well, if the application is not able to pick the newly injected secret without restarting, there's no point on using solutions such as Vault Injector or Secrets CSI. In my case, the apps do... they are able to detect a config file change and reload the settings.

Thanks for the recommendation. I'll check out Doppler ASAP.
1. You are right on this one, but many other resources are violating that. A reference to an image in, let's say, a Deployment. Even sealed secrets are violating that (in a way). The secret itself is not stored in Git but generated inside the cluster (by encrypting the value from the SealedSecret manifest). To be clear, I agree with you and, personally, I prefer SealedSecrets. They are more GitOps-friendly, but they also come with their own set of issues.
2. I think that's the nature of Kubernetes. We tend to create higher-level resources that a controlling the "real" ones. We create a Deployment that creates ReplicaSets, that create Pods, that manage containers. Similarly, Ingress is managing external load balancers while Crossplane or ClusterAPI are managing all sorts of external resources. We rarely manage "stuff" directly but through controllers that are in charge of managing the actual resources (often indirectly).
3. I think that SealedSecrets are not much different. Both are creating "other" resources that eventually create Kubernetes secrets. The major difference is that one (SealedSecrets) is decrypting secrets inside the cluster while the other (External Secrets) is pulling them from somewhere else (just as containers are pulling container images). In both cases, we cannot know what the secret is by inspecting the manifest. Now, if you're referring to individual fields of a secret, they can be specified with External Secrets as well. I just used a shorter version saying "give me everything because I stored everything as one big secret in GCP".

Hey B K! Vault Policy Roles with Secret Store CSI driver are great indeed. However, ESO supports this approach ever since version 0.1 (since the beginning ). You can create multiple SecretStores, each of them bound to a given role. I would like to invite you to please look for multitenancy setups on External Secrets Operator docs (I cant point you there since youtube will delete the comment).

Actually, crossplane is one of the reasons I explored external secrets. I need something to pull secrets into my clusters so that crossplane can use them but also something to push secrets generated by crossplane into my secret store. That's why I mentioned "secrets push" as the only missing feature. Once that is available, the secrets generated with crossplane will be available wherever I need them.

​@@DevOpsToolkit I'm very curious about how you combined Crossplane with External-secrets.
I generate kubernetes clusters with Crossplane and get the kubeconfig for them in crossplane-system namespace.
I tried with Sealed Secrets but passing the private certificate to decrypt secrets around different clusters is a pain.
The feature to push secrets is now available with External Secrets, so what would the approach be?
Just using a kubernetes provider and push the secret from the management cluster into the created clusters?

@@IvanRizzante Getting secrets into k8s is easy. Pushing them from k8s to a secret store is a challenge. A while ago, I was urging ESO community to add "push" feature to the project and they did that. However, I did not yet have enough time to dive into it.

I haven't tried it yet. In general, I do not think that projects like Argo should be concerned with secrets. We already have solutions that manage them well and I'm sceptical whether side projects like that can out as much attention to it as those fully focused on secrets like external secrets, sealed secrets, and others. Nevertheless, let me check it out before saying anything about it.

I do not think there is anything better than ESO right now. The only alternative that i am aware of is SealedSecrets and SSCSID. SealedSecrets does not work with secret stores like vault and i am not sure that SSCSID direction is a good one for all use cases. If you know of any other solution, i would be very happy to give it a spin.

@@DevOpsToolkit thanks for the input! I really like ESO, it rather is Vault that gets on my nerves.
If I find out about something else, I will let you know but I guess you will be the first one to know, anyway 😄

I just realized that you asked about secret stores and not secret managers. So, my previous answer must have been confusing.
For secret stored, Vault and those provided by hyperscalers are the only ones i see being widely used and I haven't seen any challenger on the horizon 😔

I like using Rancher to get an overview and use labels as well as annotations (plus Rancher projects that group namespaces) for organization.

My answer will be biased... I tend to use crossplane which, through compositions, gives me different ways to groups resources and expose them through CLI/UI.

Yeah. That was the feature I missed the most.

I already have as csi on my TODO list... :)

Adding it to my TODO list... :)
As a side note, I think we had someone from Doppler on www.devopsparadox.com

The major difference is that it does not create kubernetes secrets but mounts volumes which should be more secure (kubernetes secrets are very insecure). On the other hand, that is not a common approach in kubernetes and might cause issues with third party tools.

Thanks a ton.

I used it mostly with Google servers and a bit with aws secrets manager so i don't hwveuch experience with it combined with vault 😔

When you rotate keys, you still need to keep the old key operational for a while. Otherwise, no solution would work. For example, let's say that you have authentication to a db and you rotate it. If that would mean that from there on only the new auth works, all currently established connections would fail.

I've been overlaying resources rather than values. It might be possible to overlay values as well, but I haven't tried that option, mostly because I believe that overlaying resources is closer to the "Kustomize spirit".

@@DevOpsToolkit thank you for the content and explanation Victor. Could you make a video for this specific scenario of "secrets rotation + keeping the old value" to avoid donwtime until the app gets the new value? And also when we have N replicas of the pod using that secret.

@thiagoscodeler5152 adding it to my to-do list...

As far as I know, it cannot use wildcards. You need to be specific which secrets you want.

@@DevOpsToolkit Right, that's what I thought. What I'm focusing on right now is app configuration, which needs about 10 or so values, some of which are sensitive, some not. They all have good defaults, so if you don't give a value, the app uses the default. So what I'm thinking is I only need one secret in Kubernetes ... the connection string that gets them to Hashicorp Vault, Azure Key Vault, AWS Secrets Manager, etc. All other config settings go in the external vault. That way they can change config values after-the-fact and they don't need to keep going back to their Helm charts or K8s manifests. It would be a real hassle for the user to need to keep going back to k8s just to change one simple config value.
So if I only need to store one secret, then external-secrets isn't that much value. Sounds like more trouble than it is worth.

In case of External Secrets, the complexity is in managing secrets in an external store (e.g., HashiCorp vault) as well as maintenance of the store itself (if it's not SaaS). If we ignore that, External Secrets are pretty easy and straightforward. SealedSecrets is easy as well and there's nothing to manage but secrets themselves stored in Git.
Both are great and neither is overly complex. The main question is whether you prefer to keep secrets in an external store or in Git (an encrypted version of them).

@@DevOpsToolkit awesome, thank you for explaining

All secrets in Kubernetes are base64 encoded, so yes. You would need to create that secret first either with kubectl or anything else. However, once the secret is there, you can manage it with external secrets.

Ok. thank you for your help.

Adding it to my to-do list...

That's indeed a "chicken and egg problem" and I do not have a good answer for that except to say that once a secret is created in a "typical" fashion (e.g., `kubectl create secret`) it can be managed by External Secrets from there on. It's a similar problem to "how to install Argo CD without Argo CD" or "how to create a cluster where Crossplane will be running".

@@DevOpsToolkit same with ClusterAPI. WTF is going ooooooooon lol

There is always some prerequisite for any tool. We're all trying to reduce those initial dependencies but they are always there in some form or another.

@@DevOpsToolkit yes, yes, but the chicken and egg issue always makes me smile lol btw great video Victor!

ESOs responsibility stops when secrets in kubernetes are created. From there on, it all depends on permissions you defined, whether etcd is encryped, etc. The alternative is bot to use kubernetes secrets at all. I will publish a video on that subject in 3-4 weeks. TL;DR; it is close to impossible not to use kubernetes secrets.

I'm not sure what he meant when saying that sealed secrets do not scale. The job is relatively easy and is performed only when manifests change to there is no constant demand for resources. Also, i haven't experienced any performance/scaling issues myself.

@@DevOpsToolkit Awesome. Appreciate the quick reply. From all the solutions out there, sealed secrets fits best for what we require. I am also now liking the idea more and more to store the app "target" state in the clients' own repos.

Do you mean that secrets are encrypted in AWS Secrets Manager or when they reach Kubernetes secret?

@@DevOpsToolkit they reach Kubernetes secret encrypted. meaning, the values I see in AWS Secrets Manager are different

​@@sharonlavie8210 Normally, values in k8s secrets are encoded, not encrypted. Can you confirm that's not the case? You can do it with something like `echo -n "VALUE_FROM_THE_K8S_SECRET" | base64 -d`.

@@DevOpsToolkit yes, you're right!! it is base64 encoded. just need to figure out how to decode the values i get from the secret when i use them in my gitsync sidecar.
You are #1!!
I really enjoy watching your videos and I learn a lot from you.
Will increase my support in your channel, you totally deserve it ❤

I found the solution. very simple, the username and password to github were base64 encoded, i saved them without the base64 encoding in AWS Secrets manager.
Problem solved!! yay! :)

It is not a service. It's an open source project meaning that the code is at your disposal to review it. There is nothing hidden in external secrets.

The idea, in general, is for the apps to focus on business logic and leave everything else to external processes. That applies just as much to networking, storage, and TLS as to secrets. The result is the same and the only real difference is where the logic is coded.

@@DevOpsToolkit thank you for your reply, so basically in terms of security, keep these secrets on cluster are safer than on the apps, with a plus of isolating complexity from the development. Cool

There is nothing special to do. You can push ESO manifests to git like any others and flux will sync them.

I do not think that git is the source of truth. It is the source of the desired state. The truth is the actual state which are resource at runtime. The actual state might or might not have drift when compared to the desired state.
Also, Git often contains higher level abstractions. It might have a Deployment which, at runtime, managers replica sets which manage pods which contain containers. All those are the source of truth and not only the intention to have a Deployment.

As for ESO... It is not that different from, let's say, containers. While ESO references a secret which is later pulled into a cluster, a container definition references an image which is also pulled into a cluster and converted into actual containers.

I haven't used it sufficiently (yet). I've been using GoDaddy solution for a long time (External Secrets is a continuation of that project) so I haven't had the need to dive into Secret Store CSI. Is it good? Should I switch to it?

@@DevOpsToolkit Secret Store CSI Driver is a k8s standard with lots of supported integrations (e.g., ASCP is Amazon's provider). In many cases you can avoid creating k8s secrets, as per best security practice, but creating a k8s secret is also supported.

@@joebowbeer I definitely need to go back to SSC. It must have changed a lot since the last time I checked it (over a year ago).
Does it support pushing secrets to external stores? That's one of the main things missing in External Secrets (and I believe they're working on it).

Secret Store CSI Driver is great if you need to avoid having Kubernetes Native Secrets (or sensitive data in ETCD). This is specially useful with some specific compliances and Very specific sensitive workloads. Just need to remember that the service account token used by SSCSI driver is on ETCD anyways. We've seen people use both projects, even simultaneously, in the same organization. Remember: All your practices around access management, avoidance of initial attack vectors and having good identity boundaries will be way more important in avoiding people getting secrets than what tool you choose to synchronize secrets, or if they are in volumes or etcd :)

@@DevOpsToolkit They don't push secrets and I don't think it is in their roadmap, since their focus is being a Storage Interface. The focus of the SSCSID project is not to have a reconciliation loop creating/updating stuff. The provider (like ASCP mentioned here), is a privileged daemonset in the cluster, and SSCSID is just what the names tell us, a storage driver so kubernetes knows how to mount the secret as a volume in the pod. Which is why, even if you enable secret sync with SSCSID you would need to mount it first to a pod. So with image pull secrets that you usually would not use in a pod, you would have to first mount to a dummy pod so it ends up in a K8S native secret.

but would we not mask the values for that secret store manifest in the pipeline library? , for example - using variable groups in Azure DevOps ¯\_(ツ)