Hey everyone! I'm setting up a local Kubernetes cluster using Kind with Terragrunt, and I'm curious about best practices for managing secrets. I want to use GitHub as a source for my secrets but it doesn't seem straightforward. While I've looked into using Vault, I'm concerned about the accessibility issues since the runner operates outside the cluster. I prefer to avoid cloud provider services or bootstrap scripts for configuring Vault. Currently, I'm relying on Kubernetes as a secret store and using a Terragrunt module to create secrets that can be accessed in other namespaces, but it feels a bit hacky. How do you all manage secrets in such environments? Any suggestions?
4 Answers
You might want to consider using SOPS! It works really well with Kubernetes and can help you manage secrets efficiently. Check out the guides on FluxCD's website.
If your focus is keeping things local, have you thought about using SealedSecrets? It allows you to manage secrets more securely without exposing them directly in your cluster.
Using GitHub as a secrets vault is kind of unconventional since it's primarily meant for version control, not secrets management. I'm wondering if you're possibly confusing that with GitHub Secrets for Actions? Also, using Kubernetes directly for storing secrets can be tricky; it seems like a workaround. You might want to explore other secret management tools that integrate well with Kubernetes.
What I meant was using GitHub Secrets that can be referenced in Kubernetes. I've seen some examples in the ESO documentation where you can convert those GitHub stored secrets into Kubernetes secrets. It feels hacky, but it sort of works.
I usually go with AWS Secrets Manager. Terraform sets everything up for me, especially for database credentials, and I ensure all passwords are consistent across my deployments.
Thanks for the tip, I'll check SealedSecrets! It sounds like it might fit my needs.