►
From YouTube: Optimizing Secrets Management by Ifeoluwa Oluwole
Description
This session aims to improve the lifecycle of secrets management from integration with secret management tool, to secret creation, rotation, and deletion.
---
KCD Africa 2022 is the 2nd iteration of the Kubernetes Community Days Africa, a CNCF-powered free community event. Visit https://kcdafrica.com for more information.
A
A
So
that's
what
I'm
going
to
be
calling
and
throughout
the
section
this
section
he's
he
has
over
80
years
experience
and
across
various
sectors,
including
banking
telecommunication,
media
security
and
consulting
ife,
loves
devops,
just
like
the
name
effed
devops,
just
because
of
its
broad
coverage
and
dynamics
and
there's
never
a
dull
moment
with
ife.
Of
course,
car
racing
games
and
other
musical
instruments
are
things
that,
if
I
find
fun
and
exciting
so
we're
going
to
be
hearing
from
ife
in
a
bit.
B
B
B
B
B
So
this
is
not
going
to
be
the
conventional
tekiteki
breakdown,
but
I'll
just
try
to
make
it
as
simple
as
possible
enough
to
relate
to
it.
Okay,
so
I'm
going
to
just
demo
something
simple
using
using
some
tools
that
make
up
this
tech
stack
just
to
ensure
that
we
can
optimally
manage
secrets.
I
mean
at
the
end
of
the
day,
the
whole
the
takeaway
from
this
is
whatever
stack.
We
choose
whatever
back-end
management
tools.
B
We
choose
it's
something
we
can
relate
to
it's
something
we
can
easily
manage,
and
you
know,
most
importantly,
something
that
meets
the
needs
of.
You
know
the
team
and
the
organization
in
terms
of
managing
those.
You
know
sensitive,
sensitive
artifacts
in
our
environment,
okay,
so
I'm
going
to
share
my
screen
now.
B
So
I
I
just
have
a
shot
I
mean
I
I
just
did
some
brainstorming,
some
typical
challenges
that
I
had
faced
and
maybe
what
you
know
others
might
be
facing
in
terms
of
the
overall
concept
of
of
secrets.
You
know
how
to
manage
the
entire
secrets
life
cycles
from
when
they
are
created
to
how
they
are
rotated,
so
how
they
are
even
injected
into
the
clusters.
You
know
the
environment
to
how
they
are
deleted,
also
disaster
recovery
strategies
for
secrets.
B
So
you
know
we
have
several
solutions
that
could
back
up
the
kubernetes
clusters,
but
how
well
are
the
secrets
also
backed
up?
How
do
we
have?
How
do
we
ensure
that
if
we
lose
our
secrets,
we
can
recover
them
things
around
githubs,
you
know:
how
should
we
commit
secrets
to
git
things
around
show
the
actual
secrets
you
know
sits
in
the
cluster.
B
So
things
like
that,
you
know
some
of
the
concerns
that
made
me
come
up
with
this
with
this
same
idea,
so
the
stock
that
will
be
used
here.
Obviously,
now
secrets
operator,
I
mean
formerly
called
kubernetes
external
secrets,
but
that's
been
deprecated,
so
it's
now
based
the
external
secrets
operator.
It's
you
know
a
whole
lot
of
improvements,
so
that
would
basically
just
be
an
abstraction
layer.
B
So
some
of
these
words,
some
of
these
terms
or
tools,
might
be
new,
but
I
mean
some
of
us
might,
you
know,
resonate
with
some
of
them,
but
nothing
to
get
worried
or
get
scared
off
I'll.
Just
deploy
this
in
a
very
simple
fashion,
and
then
maybe
we
can
run
through
questions.
You
know
observations
concerns
yeah,
so
I
already
have
my
eks
cluster
set
up.
I
think
one
of
the
sessions
in
the
morning
went
through.
You
know,
setting
up
a
mini
cube
cluster,
so
any
of
that
works
as
well.
B
The
charts
are
available
in
the
github
repository,
so
I
mean
I
could
probably
share
this
later
so
I'll
just
be
installing
adding
the
reloaders
home
chat
to
my
local
repo
home
repo.
Just
do
some
updates
and
install
reloader,
so
I'll
just
grab
this
and
you
know
steer
so
it's
grabbing
the
latest
charts
and
we'll
install
now
downline
will
still
come
to
that,
but
maybe
I
should
just
mention
this
now.
Setting
up
your
letter
is
pretty
easy.
It
involves
just
adding
an
annotation.
B
B
B
B
B
B
B
B
B
B
Yep
already
exists,
so
I
will
install
external
secrets
now.
Take
note,
I'm
passing
in
my
values
file
here,
and
this
is
simply
the
same.
The
default
from
the
charts
and
the
only
tweak
here
is,
I
am
adding
my
row
like
I
said,
I'm
using
im
rule
for
service
accounts,
so
this
enables
me
to
grant
a
service
account
in
kubernetes
to
grant
it
permission
to
assume
or
work
with
an
im
role
in
aws.
B
B
B
Now
the
concept
of
external
secrets
is,
after
deploying
the
operator,
you
need
to
set
up
a
secret
store.
What
is
the
store?
The
store
is
simply
a
backend
object
that
establishes
connection
to
your
secret
management
tool,
so
it
could
be
hashtag
vault.
It
could
be
a
jockey
vault
like
I
said
it
could
be
in
our
case,
whereas
in
aws
secret
manager-
and
this
is
the
manifest
here-
all
of
these
charts
and
manifests
are
in
the
home
chart
repository,
but
I
will
just
explain
what
the
secret
store
does.
B
B
Okay,
great
next
up
the
service
is
secret
manager.
So
in
external
secrets,
when
you
say
secrets
manager,
that
means
you're
referring
to
a
ws
secret
manager,
I
think,
if
you're
working
with
azure
key
vault,
it
has
to
be
maybe
something
like
azure
maybe
kv,
and
I
can't
recover.
You
know
it's
it's
there
so,
depending
on
the
backend
tool
that
will
determine
the
kind
of
name
that
should
be
here.
B
If
you
notice
it's
just
the
word
cluster
that
is
different
in
both,
and
why
is
that?
It
means
you
can
choose
your
object
to
be
accessible
throughout
the
kubernetes
cluster
or
you
can
choose
to
tie
it
to
a
particular
namespace
in
this
case,
I'll
just
like
to
have
one
secret
store
to
serve
all
secrets
in
my
cluster,
so
I'll
go
with
the
cluster
secret
store,
so
this
is
defined.
This
is
created.
Okay,
so,
let's
see.
B
B
Okay,
so
when
I
see
an
event
like
this,
this
is
just
a
way
to
validate
that
your
external
secret
operator
successfully,
you
know,
can
successfully
authenticate
to
aws
using
the
role
or
the
credential
you
provided
maybe
an
access
on
a
secret
key
stored
somewhere
on
your
role.
In
this
case,
I'm
using
irs
like
I
said
so.
This
is
good.
This
is
a
good
sign
that
we
can
interact
with
aws
and
we
can
also
interact
with
the
aws
secrets
manager.
B
B
B
Now
the
external
secret
name
is
the
name
it
will
use
to
create,
or
it
will
give
you
external
secrets.
What's
the
difference
there,
the
external
secret
will
be
created
in
whichever
namespace
you
define
so
remember.
You
are
managing
a
kubernetes
infrastructure.
You
are
using.
You
know
the
namespace
strategy
to
properly
isolate
workloads.
Your
environment
I
mean,
maybe
you
have
a
namespace
for
dev
or
a
namespace
for
staging,
or
you
have
a
namespace
for
critical
apps
and
let's
create
collapse
with
several
levels
of
isolation.
B
At
the
same
time,
what
about
whichever
secrets
are
consumed
in
the
name?
Space
has
to
be
within
that
namespace.
That's
the
whole
idea
of
the
virtual
isolation.
You
know
with
regards
to
namespaces,
so
here
I'm
saying
creates
an
external
secrets
and
provision
into
this
namespace
in
this
case
I'm
using
a
default
image.
So
this
can
be
any
namespace.
This
can
be
maybe
abc
app
namespace.
B
External
secrets
operator
make
sure
that
these
external
secrets
always
exists
in
this
name
space
and
who
is
in
charge
of
that?
It's
the
close
text
now
secret.
So
every
one
minutes,
the
cluster
external
secrets,
checks
to
make
sure
the
external
secret
is
in
the
default
namespace,
but
it
gets
even
more
interesting.
I
mean
there's
another
layer
just
to
ensure
100
or
maybe
near
100
protection
or
availability
of
your
secrets.
B
So
for
the
external
secrets,
it
now
creates
a
secret
called
test
secrets.
Of
course,
this
secret
story,
f
is
just
saying:
hey.
Remember
I
created
a
secret
store
name
named
aws
secrets
manager,
that's
the
store!
You
should
connect
with
back
end
to
fetch
my
secrets,
so
that's
this.
Just
like
a
reference
call
for
synchronization,
hey
check,
my
aws
secret
store,
fetch
all
my
secrets
or
fetch
my
secrets
named
this.
You
see
a
section
called
data
from
or
extract
like.
I
said
this
might
be
new.
B
B
So
three
kinds
of
objects
will
be
created
when
I
apply
this
manifest,
which
I'll
do
now.
So,
let's
create
our
close
text
and
our
secrets-
oh
before
that,
like
I
said,
create
secret
and
secret
manager,
and
why
am
I
doing
that
at
a
point
when
I'm
telling
it
to
fetch
this
secret?
I
need
to
make
sure
that
I
have
a
secret
named
this
in
aws
or
in
my
secret
management
tool,
any
tool
I'm
using.
B
B
B
B
And
here
we
have
secrets,
I
mean
we're
going
to
see
something
fun
down
the
line
I
could
choose
to
delete
the
secrets
I
mean
this
is
one
of
the
problems,
the
pros
of
external
secrets
because
of
the
synchronization
I
can
choose
to
delete
the
secret
and
it
will
create
its
cube,
ctl,
delete
secrets,
test
secrets
so
to
refresh
every
I
think,
one
minute
or
even
immediately,
let's
see
yep.
So
you
see,
let
me
just
clear
this
okay
secret
here,
50
seconds
old
was
deleted
and
here
it
automatically
recreated
it.
B
You
can
be
rest
assured
that
that
secret
will
be
recreated
if
you're,
not
using
an
external
secret
management
tool
and
if
you're,
not
an
external
secret
operator,
there's
no
way
to
there's
no
way
to
recall
the
secrets,
unlike
deployment
objects
or
maybe
state
two
sets
that
have
maybe
things
like
revision
history
limits.
Where
you
can,
you
know
roll
back
objects
or
depending
on.
If
you
do
upgrades,
there's
no
there's
no
way
to
roll
back
or
recover.
B
B
B
So
I
have
this
annotation
here
that
says:
hey
just
look
out
for
all
my
maps,
secrets
and
config
maps.
If
you
notice
any
of
them
is
updated
automatically
restart
my
ports,
that's
the
first
addition
I
have
here.
The
final
addition
I
have
is,
of
course,
I'm
bringing
in
my
secret.
So
I'm
just
saying:
hey
fetch
some
environment
variables
from
these
secrets.
B
B
B
B
B
So
what's
the
entire
flow
of
this
I'll
just
run
through
it,
external
secrets
operator
connects
to
aws
through
the
cluster
secret
store.
That's
the
first
part.
The
second
part
is
the
cluster
acts
on
our
secrets,
creates
an
external
secret
in
your
defined
name.
Space
and
classical
secrets
always
makes
sure
that
the
external
secret
exists
in
turn,
the
external
secrets
created
the
secret
object,
which
you
know
I
assigned
to
the
port
or
to
the
deployment,
and
it
always
makes
sure
that
that
secret
object
always
exists.
B
B
B
B
B
B
That
is
active,
so
we
see
here
that
the
last
set
of
pods
are
terminating
while
new
ports
are
running.
Remember
this
happens
in
a
rolling
fashion,
so
there
is
no
downtime
up.
Time
is
guaranteed
and,
of
course,
this
also
respects
your
your
update
strategy.
So,
if
you're
using
maybe
a
fresh
redeployment
of
everything
or
a
rolling
restart
or
a
ruling,
upgrade
that's
what
will
happen
reload,
I
respects
your
update
strategy,
but
by
default
the
default
kubernetes
of
this
strategy,
which
most
almost
I
mean
everyone
uses
this
the
ruling
upgrade.
B
B
It
looks
like
a
lot
of
heavy
lifting
has
been
done
here
and
this
achieves
the
goal
which
you
want
to
achieve.
Now
I
mean
the
pros
of
this
stack.
I
just
did
some
brainstorming
and
I
said,
okay
secrets
cannot
be
part
of
the
github's
model.
I
mean
you
don't
want
to
become
it's
an
actual
secret
manifest
into
git,
but
with
external
secrets
operator
and
with
this
entire
stack
as
a
matter
of
fact,
you
can
have
your
external
secrets
manifest
in
gates,
in
fact,
depending
on
your
github
strategy.
B
At
the
same
time,
if
you're
using
gx3,
you
can,
you
know,
build
a
model
that
says
automatically
connects
to
aws
and
create
secrets.
So
that's
the
next
layer,
maybe
the
next
I
mean
maybe
the
next
kcd,
who
knows
maybe
that
will
be
featured.
But
that's
something
also.
You
know
that's
possible.
You
can
automatically
create
secrets
from
aws
without
manually,
defining
your
secrets,
so
just
have
something
in
just
properly
define
your
github's
model
and
that
is
very
much
possible
automatic
secrets.
Rotation.
B
I
mean
the
option
is
here:
you
can
configure
imagine
this
database
credentials
or
you
know
any
other
form
of
credential.
You
can
configure
automatic
rotation
dr
strategy.
Well,
I
didn't
adjust
to
save
cost
since
it's
just
a
test,
but
you
can
also
set
up
some
replication.
If
I
attempt
to
create
a
new
secret,
so
I
think
it's
it's
even
here
you
can
choose
to
relocate
secrets
to
other
regions,
so
you're,
not
scared
of
the
fact
that
the
region
may
go
down
or
your
cluster
might
be
on.
B
You
know
unreachable
or
you
know
your
cluster
crashes
and
all
of
that
that
automatically
handles
your
disaster
recovery
strategy.
Also
secret
synchronization,
like
we
saw
you
delete
a
secret,
it
gets
you
delete
a
secret
object,
it
automatically
gets
recreated
you
you
update
the
secrets
it
automatically
gets.
You
know
the
pods
gets
redeployed
in
a
ruling
fashion.
B
I
mean
a
couple
of
that
and
the
concept
is
stuck.
Nothing
is
perfect,
there's
always
room
for
improvement.
So
to
me
so
far,
so
good,
I
feel,
is
just
one
more
layer
of
operational
management
which
happens
just
once,
which
is
at
the
point
of
setup
now,
because
the
rest
of
the
operations
are
basically,
you
know,
I'm
automated.
B
So
I
feel
with
this
I
think
optimizing
secrets
you
know,
should
be
more
user
friendly
shouldn't.
Be
that
scared
topic
handled
by
only
the
maybe
experts
or
the
gurus,
and
you
know
I
mean
the
kubernetes
community.
I
think
everyone
can
relate
with
it.
Everyone
can
just
deploy
a
simple
stack
depending
on
maybe
your
cloud
provider
or
your
segment.
B
C
C
B
Kubernetes
service-
I
guess
you're
referring
to
the
operator
external
secrets
operator
before
now.
It
was
kubernetes
external
secrets,
but
that
has
been
deprecated
and
improved.
So
we
now
have
the
external
secrets
operator.
So
for
now
we
can
say
that
is
the
kubernetes
controller
or
service
that
does
that's.
That
is
the
backbone
of
this
entire
stack.
Basically,.