Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
If built-in solution is not enough for you, you have to choose an external Key Management Service (KMS) like Hashicorp Vault and somehow inject secret resolution to your workload. There are several options, you can use a mutation webhook and create environment variables during pod creation for example, or use an extra sidecar to resolve secrets inside the container as volumes. The main advantages of this way is you have full control where and how encrypted secrets would be converted into readable values, but all the coin has an other side. The solutions are complex, and most importantly they are not transparent. Because Kubernetes secrets are just references to the real ones, you must configure everything on every single target cluster, or have to write tons of if-else in your favorite manifest generation tool.
Related posts
- Terraform & HashiCorp Vault Integration: Seamless Secrets Management
- Keep it cool and secure: do's and don'ts for managing Web App secrets
- Kubernetes Secret Management
- AWS Secrets Manager for on-premise and other cloud accounts scaled architecture
- What are some basics that a lot of Sysadmins/IT teams miss?