Member-only story
š„Letās Do DevOps: EKS K8s & Python Fuzzy Staging with AWS Secrets Manager, K8s Init disk, Secrets Injection
This blog series focuses on presenting complex DevOps projects as simple and approachable via plain language and lots of pictures. You can do it!
Hey all!
Iāve been deep diving into K8ās CSI drivers for AWS Secrets Manager and ESO, the External Secrets Operator, an open source project thatās similar. Both purport to allow pods to call secrets on demand from external sources on launch. And they do! But they do something that you may not want (and I know I donāt want) ā they replicate your external, well protected and encrypted secrets to the k8s secrets store, where they are less protected.
That has some excellent caching benefits, but the big cost is that now your secret passwords and certificates ā the keys to your infrastructure and data, now live in a second place. That now needs to be secured, and audited, and monitored with as much security as the primary location where your secrets are stored.
Thatās a pretty significant security architecture expansion, and maybe not one you want or can permit. So I decided to do it my own way. I wrote a python program that does a fuzzy match (partial search matching to select multiple secrets) against AWS Secrets Manager in an init container. That init container is one I wrote and control, and which can stage secrets for an app container in a shared volume. Then those secrets can be injected as arguments for the app container thatās launching with bash cat-ing. This avoids requiring any change in your app containers, pulls secrets directly and dynamically from an external source, and the secret values never leave your pod.
Letās talk about the python program I wrote first and see how it works.
Iāve Moved To Lets Do DevOps
From here on out, all content will be published on Lets Do DevOps for free. I want to give back to the community as much as Iām able. Please subscribe there to avoid missing any content. Thanks all ā¤.
You can find this article here:
