4

With a Kubernetes cluster in place, what would be the alternative way to send configurations/passwords into containers? I know about the secrets way but what I'm looking for is a centralised environment that has the password encrypted, not base64 encoded.

ibrik
  • 368
  • 2
  • 12

2 Answers2

4

You could also consider Kamus (and KamusSecret, see at the end):

An open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications.

Kamus enable users to easily encrypt secrets than can be decrypted only by the application running on Kubernetes.
The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS and AES).
To learn more about Kamus, check out the blog post and slides.

helm repo add soluto https://charts.soluto.io
helm upgrade --install kamus soluto/kamus

Architecture: Kamus has 3 components:

  • Encrypt API
  • Decrypt API
  • Key Management System (KMS)

The encrypt and decrypt APIs handle encryption and decryption requests. The KMS is a wrapper for various cryptographic solutions. Currently supported:

  • AES - uses one key for all secrets
  • Azure KeyVault - creates one key per service account.
  • Google Cloud KMS - creates one key per service account.

As noted by Omer Levi Hevroni in the comments:

We are not planning to support env vars directly, as there are some security issues with using them.
As an alternative, you can use KamusSecret to create a regular secret and mount it

KamusSecret works very similary to regular secret encryption flow with Kamus.
The encrypted data is represented in a format that is identical to regular Kubernetes Secrets.
Kamus will create an identical secret with the decrypted content.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • 1
    Author of Kamus here - would be happy to help with any questions about using Kamus and hear your experience, VonC thanks for recommending Kamus! How did you come across it? – Omer Levi Hevroni Mar 04 '19 at 20:36
  • 1
    @OmerLeviHevroni Search only: I did not have the opportunity to test it, but it looks great. – VonC Mar 04 '19 at 21:51
  • @OmerLeviHevroni hi Omer, is there any roadmap of supporting the init container to mount into environment variables? the workaround if i'm not mistaken is to mount on files, then set those env vars from the files, then delete the files? – ArielB Sep 03 '19 at 07:25
  • We are not planning to support env vars directly, as there are some security issues with using them. As an alternative, you can use [KamusSecret](https://kamus.soluto.io/docs/user/crd/) to create a regular secret and mount it. – Omer Levi Hevroni Sep 04 '19 at 12:41
3

You should try Vault by HashiCorp.

The key features of Vault are:

  • Secure Secret Storage
  • Dynamic Secrets
  • Data Encryption
  • Leasing and Renewal
  • Revocation

Here is an example of using Vault + Kubernetes

Serge
  • 2,574
  • 18
  • 26