Secret manager

[dbones]

Secrets need to support

• control cluster
• downstream clusters
• key encryption rotation
• value needs to be backed-up or stored for DR
• value can be rotated in 2 ways 1) change the value 2) create a second copy for rotation

Quick notes

secrets need to be stored in K8s (how the applications and logic access their secrets)

• K8s Secret - good RBAC poor out-of-the-box encryption (can be set up tho) - everything supports this
• Side Car - pulls from a KMS on the fly, input into a in-memory volume (super secure, apps need to be aware of rotation)
• CSI - treats the KMS as a memory volume

ways to handle secrets

• Vault / KMS - another component to manage, but does all the super hard stuff for you (CSI or Side Car)
• Sealed Secrets / Git secrets - not as secure, as the secret will ultimately be stored as a K8s Secret, but pretty solid, real challenge is multi-cluster

design ideas

• the Rotation should be handled by the modules that use them
• secrets should be declared as a disired state, i.e. i want a secret which is 30 chars with nums and special chars (this will be used to create a secret by convention)

consider Hashi Vault + the library below

[dbones]

https://www.youtube.com/watch?v=VGqJ-QvhkIw

https://github.com/bitnami-labs/sealed-secrets

[dbones]

apiVersion: lab.dev/v1
kind: Organization
metadata:
  name: dbones-labs
  namespace: lab # sets the org namespace
  labels:
    lab.dev/verison: 1
spec:
  service:
    retainFor: 300
  gitSecret:
    rotate: 43200

---

apiVersion: lab.dev/v1
kind: GitSecret
metadata:
  name: login-dbones
  namespace: spike
  labels:
    secrect.internal.lab.dev/component: postgres
    lab.dev/verison: 1
spec:
  password:
    length: 32
    azLower: true
    azUpper: true
    number: true
    special: true
    avoid: "\""

---

apiVersion: lab.dev/v1
kind: Postgres
metadata:
  name: spike
  namespace: frontier
  labels:
    lab.dev/verison: 1
spec:
  credentials: spike