►
From YouTube: Secrets Store CSI Driver: Keeping Secrets Secret - Anish Ramasekar, Microsoft & Tommy Murphy, Google
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Secrets Store CSI Driver: Keeping Secrets Secret - Anish Ramasekar, Microsoft & Tommy Murphy, Google
Applications running on Kubernetes require access to sensitive information (passwords, SSH keys and authentication tokens). But how do you configure your applications when the source of truth for these secrets is an external secret store? What if you need to store, retrieve and perform zero touch rotation of these secrets securely? Meet the Secrets Store CSI Driver, a sig-auth subproject providing a simple way to retrieve secrets from enterprise-grade external stores such as Azure Key Vault, Google Secret Manager and HashiCorp Vault. In this session, Anish and Tommy will demonstrate how to use the Secrets Store CSI Driver to mount and rotate sensitive information from external secrets stores in the Kubernetes application. They will also discuss trade-offs of the CSI driver versus other solutions to accessing external secret stores and how CRDs are used to make pod portability across Kubernetes environments possible.
B
A
A
A
So
you
may
look
at
just
copying
the
secrets
to
kubernetes
secrets,
perhaps
with
the
controller.
This
is
portable
but
won't
and
won't
require
application
changes.
But
you
may
lose
out
on
some
of
the
benefits
of
your
external
secret
store.
Like
data
rest,
encryption
and
the
identity
that's
used
to
access,
the
secrets
may
go
from
the
workload
to
the
controller.
That
is
duplicating
the
secrets.
A
A
Finally,
there's
the
secrets
store,
csi
driver
which
uses
the
container
storage
interface
specification
that
we're
going
to
talk
about
today
and
we'll
cover
some
of
the
features
that
we
think
make
it
a
good
fit
for
consuming
external
secrets
on
kubernetes
originally
developed
at
deus
labs.
This
storage
driver
is
now
being
built
and
maintained
as
a
sig
auth
sub
project.
A
A
As
a
storage
driver,
it
provides
a
familiar
file
system,
mount
experience
to
your
compute
workloads.
It's
also
pluggable
and
supports
multiple
external
secret
providers.
Without
modifying
your
application
or
changing
the
pod
yaml,
it
can
load
new
values
of
secrets
throughout
your
pod's
life
cycle,
and
it
can
also
even
sync
those
secrets
to
kubernetes
secrets
for
further
compatibility
with
existing
deployments.
A
A
A
A
A
A
The
seeker
provider
class
is
a
namespace
kubernetes
custom
resource
that
is
used
to
provide
the
driver,
configurations
and
provider
specific
parameters
to
the
secret
cs4
csi
driver
we've
looked
at
the
pod
yaml
and
the
secret
provider
class
cmo.
But
how
do
you
know
which
versions
of
secrets
are
being
used
by
your
pod?
A
B
Let's
look
at
the
demo
now.
First,
I'm
going
to
show
you
what
is
there
on
the
cluster,
so
we
have
a
kind
cluster
with
a
single
node.
That's
running
kubernetes
version
1.20.2
to
show
how
the
secret
store
csi
driver
enables
port
portability
across
different
external
secret
store
providers,
we're
going
to
start
with
deploying
two
applications
written
against
specific
third
party
secrets,
and
here
we're
going
to
be
using
azure
and
gcp.
B
B
This
is
a
sample
yaml
for
a
pod
using
the
azure
keyword
api
to
get
the
secret
from
azure
keyword.
As
you
can
see
here,
the
keyword
name
and
the
keyword
secret
name
are
provided
as
arguments
for
the
container
and
the
credentials
are
obtained
from
secret
store
threads.
The
kubernetes
secret
that
I've
reconfigured.
B
B
B
Now,
instead
of
having
different
application
implementation
for
external
secret
store,
we
have
this
application
that
was
returned
to
consume
the
secret
from
the
file
system.
Instead,
using
the
secret
store,
csi
driver
we're
going
to
show
how
this
application
can
get
secrets
from
either
secret
bracket.
B
B
B
B
B
So,
as
you
can
see
here,
the
board
specifies
the
volume
mount.
The
name
for
the
volume
amount
is
secret
store
in
line
and
the
amount
path
within
the
container
is
going
to
be
mount
secret
store
and
in
the
volumes
the
same
name
is
being
used,
and
here
the
volume
type
is
csi
and
we
can
see
the
driver
that's
being
used.
Is
the
secret
store,
csi
driver?
And
here,
in
the
volume
attributes
we
have
the
secret
provider
class
csispc
that
we
will
take
a
look
at
next.
B
So
when
we
took
when
we
take
a
look
at
the
secret
provider
class
here,
we
can
see
the
provider
that's
being
used,
is
azure
and
in
the
parameters
we
can
see,
the
keyword
name
is
kubecon.
Eu
2021
and
the
objects
is
an
array
where
you
can
define
multiple
different
objects
and
the
object
type
here
is
secret
secret
and
the
name
is
app
secret.
The
possible
values
for
object
type
are
secret,
key
and
search.
B
B
B
B
A
A
A
common
usage
of
this
feature
is
to
store
the
tls
certificates
in
an
external
secret
store
and
have
the
driver
sync
it
to
a
kubernetes
tls
secret
for
use
by
an
ingress
controller.
In
addition,
the
synced
kubernetes
secret
can
also
be
referenced
in
pod
spec
to
set
the
secret
as
an
environment.
Variable
use
the
optional
secret
objects
field
in
the
secret
provider
class
to
define
the
desired
state
of
the
synced
kubernetes
secret
object.
A
B
Now,
let's
take
a
look
now:
let's
do
another
demo
for
the
sync
secret
feature.
First,
we're
going
to
see
how
the
secret
store
csi
driver
can
sync
the
mounted
content
as
kubernetes
secret,
we're
going
to
enable
application
to
work
with
nginx
english
controller
with
dls
certificates
stored
in
key
vault.
B
B
B
This
installs,
the
ingress
controller
and
all
the
other
required
manifests.
Now,
let's
take
a
look
at
a
sample
secret
provider
class
that
is
going
to
be
used
for
syncing
as
kubernetes
secret.
So,
as
you
can
see
here,
the
name
is
azure
tls,
so
the
provider
that's
being
used
is
azure
and
the
parameters
field
here
matches
what
we
saw
previously
in
the
previous
demo.
B
So
the
object
that's
being
fetched
is
the
certain
the
secret
that
we
just
uploaded
to
azure
keyword.
The
secret
objects
field
in
the
secret
provider
class
is
what
tells
the
csi
driver
that
the
mounted
content
also
needs
to
be
mirrored
as
kubernetes
secret.
Here.
The
secret
name
is
what
is
the
desired
name?
The
type
is
what
the
seeker
type
needs
to
be
and,
as
we
can
see,
the
tls
key
and
tls
cert
are
mandatory
fields
for
kubernetes
secret
of
type
tls.
B
B
So
here
we
have
a
static
pod,
called
foo
app
and
the
volume
mount
in
mount
secret
store
and
the
volumes
being
referenced
here
is
for
the
csi
driver,
the
secret
provider
class.
Here
azure
tls
matches
the
name
for
the
sql
provider
class.
We
saw
in
the
previous
step
and
also
as
part
of
this
manifest
we
are
creating
service
and
also
another
bar
back
end.
B
B
So
let's
go
ahead
and
deploy
all
the
required
odds
back
now,
let's
check
to
ensure
that
the
pods
are
running.
They
are
so
now.
When
we
try
to
curl
the
endpoint,
we
can
see
the
certificate
that
is
being
used
is
the
one
synced
by
the
secret
store
csi
driver
as
kubernetes
secret
with
an
expiry
date
of
april
6th.
So
let's
verify
that.
B
B
So,
as
we
can
see
here,
the
status
is
mounted
and
the
objects
is
matches.
The
field
objects
that
were
defined
in
the
secret
provider
class
and
the
version
that's
being
used
for
the
part
currently
is
starts
with
d7f4,
and
there
is
also
other
additional
metadata
that
can
help
for
cluster
operators
like
the
pod
name
and
also
the
mapping
with
the
secret
provider
class
name.
B
Now
that
we've
seen
how
sync
kubernetes
secret
works,
let's
also
check
out
how
rotating
these
secrets
would
work.
So
for
the
purpose
of
the
demo,
I
have
already
generated
another
certificate
with
april
14th
as
the
expiry
date.
So
we
can
see
the
changes,
so,
let's
inspect
the
certificate
before
we
upload
it
to
azure
keyword
as
we
can
see
here.
The
subject
is
localhost
and
the
validity
for
this
is
april
14th.
B
The
auto
rotation
feature
in
the
secret
store
csi
driver
should
enable
us
to
fetch
the
new
rotated
certificate
from
azure
keyboard
and
update
the
mount
and
the
send
kubernetes
secret.
So
now,
when
we
try
to
call
the
same
end
point,
we
expect
to
see
the
certificate
return
to
have
an
expiry
of
april
14
instead
of
april
6..
B
As
we
can
see
here,
the
expiry
date
now
is
april
14th,
which
is
indicated
that
the
certificate
that
was
rotated
in
the
external
secret
store
has
successfully
been
updated
in
the
kubernetes
secret
on
the
cluster.
Now,
let's
also
check
the
secret
provider
class
part
status
again
to
see
what
version
of
the
secret
is
currently
being
used.
B
B
B
B
So
what
does
the
future
look
like?
We
are
working
towards
the
stable
release
for
the
driver.
This
includes
increasing
the
test
coverage
and
also
finalizing
the
driver
provider
interface.
The
cncf
is
commissioning
a
third-party
security
review
of
the
project
and
we're
looking
forward
to
more
community
involvement.