Say hello to Berglas — a way to keep your Secrets a Secret
2 min readApr 27, 2022
Your microservice calls other services — a database, an API endpoints or SaaS/ PaaS services and hold credentials to do so. Environment variables or Kubernetes Secrets are not really a secret and suffer from a variety of drawbacks
There are a variety of solutions for this
- 3rd Party solutions like Vault, Mozilla SOPs, Bitnami k8s sealed secrets— which have way too many configurations to be made to get started for the simple use case of Creating Secrets, Storing secrets in an encrypted way, allow only authenticated and authorized principals to retrieve them.
- Cloud KMS/HSM solutions which require integrating the SDKs into your code which is not very convenient as secrets are usually an afterthought after finishing the build prior to deployment.
Enter Berglas — a painless way to manage secrets. Under the hood Berglas uses the Cloud KMS + GCS or Secrets Manager to abstract away the complexity of having to wire these things up yourself.
The workings
Key Steps to get it to Work
1. Berglas CLI installation on Cloud Shell
2. Use the CLI to bootstrap secrets in a bucket or secret manager
3. KMS keyrings are created to symmetrically to encrypt Secrets
4. Deploy the cloud function that acts a webhook mutation endpoint
5. Deploy the Webook Mutating Webhook config referencing endpoint
6. Create a berglas secret, grant access to a cloud service account
7. Create and Annotate k8s service acct to Cloud service acct
8. Change PodSpec to reference Berglas SecretHow to Get Started
GCP Services that works with Berglas
Google Kubernetes Engine
Cloud Run
Cloud Build
Cloud Functions
AppEngine Standard & Flex
Init Scripts / Ansible scripts for Google Compute Engine