Say hello to Berglas — a way to keep your Secrets a Secret

  1. 3rd Party solutions like Vault, Mozilla SOPs, Bitnami k8s sealed secrets— which have way too many configurations to be made to get started for the simple use case of Creating Secrets, Storing secrets in an encrypted way, allow only authenticated and authorized principals to retrieve them.
  2. Cloud KMS/HSM solutions which require integrating the SDKs into your code which is not very convenient as secrets are usually an afterthought after finishing the build prior to deployment.

The workings

Key Steps to get it to Work

1. Berglas CLI installation on Cloud Shell
2. Use the CLI to bootstrap secrets in a bucket or secret manager
3. KMS keyrings are created to symmetrically to encrypt Secrets
4. Deploy the cloud function that acts a webhook mutation endpoint
5. Deploy the Webook Mutating Webhook config referencing endpoint
6. Create a berglas secret, grant access to a cloud service account
7. Create and Annotate k8s service acct to Cloud service acct
8. Change PodSpec to reference Berglas Secret

How to Get Started

GCP Services that works with Berglas

Google Kubernetes Engine
Cloud Run
Cloud Build
Cloud Functions
AppEngine Standard & Flex
Init Scripts / Ansible scripts for Google Compute Engine

Other Reading

--

--

--

I work for Google. All views expressed in this publication are my own. Google Cloud | ex-Oracle | Pre-Sales | https://goo.gl/aykaPB

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Putting design principles into action

The Right Way To Ask for Help at Work

graphic stating the four key points in the article

How I solved Bomberman challenge on HackerRank

5 HTML basic Tags.

Technology Guide To Adobe Experience Manager (AEM)

Harvest, a Beautiful Invoicing App

New Concept of TEAM

Mifos Ubuntu local setup Documentation — For a micro-finance platform

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vamsi Ramakrishnan

Vamsi Ramakrishnan

I work for Google. All views expressed in this publication are my own. Google Cloud | ex-Oracle | Pre-Sales | https://goo.gl/aykaPB

More from Medium

Backup and Restore using OADP in OpenShift Cluster

WebSphere Application in Kubernetes

Demystifying the Life of a Kubernetes Network Packet with Calico

Scaling nodes in Kubernetes on a schedule.