Securing your app's communications with Kubernetes, Azure Key Vault, and TLS certificates

@theEugeneRomero

Get the slides: https://damn.engineer/slides

eugene romero

WHO AM I?

Managing Cloud Advisor @ Capgemini

15+ years in infrastructure and software development

Voted "most likely to quote The Simpsons at inappropriate times"

The Problem

@theEugeneRomero

Get the slides: https://damn.engineer/slides

Secrets and code should be kept separate until runtime

Secrets should be automatically injected into apps, without human intervention

Secrets management is hard

(A) Solution

@theEugeneRomero

Get the slides: https://damn.engineer/slides

Azure Key Vault

Kubernetes Secrets Store CSI Driver

Kubernetes

Kubernetes Secrets Store CSI Driver

Integrates secrets stores with Kubernetes via a

Container Storage Interface (CSI) volume

Allows Kubernetes to collect secrets, keys, and certs from enterprise-grade external secrets stores and mount them as pod volumes

Demo

@theEugeneRomero

Get the slides: https://damn.engineer/slides

Internal CA Authority

Apps need to access internal sites securely over HTTPS

Company with internal resources

Scenario

frontend

backend

demo diagram

demo components

Kubernetes (Minikube)

Azure CLI

Helm chart

Please hold for demo...

@theEugeneRomero

Get the slides: https://damn.engineer/slides

More Information

Secrets Store CSI Driver

secrets-store-csi-driver.sigs.k8s.io

Demo repository and files

github.com/eugeneromero/kubernetes-tls-azurekeyvault

Detailed post and walkthrough

damn.engineer/2022/02/07/tls-cert-azure-keyvault-kubernetes

Get in touch!

@theEugeneRomero

https://damn.engineer/

ask me for a sticker!