 Hello everyone and welcome to my talk. Welcome to GitHub's con. Shout out to the organizers of this conference for the opportunity to speak. The title of my talk is hiding in plain sight, is mostly around how flocks let you store your sensitive credentials in GIFs. My name is Onyukari Sontouchi, a little about myself. I'm a developer experience engineer at WeWorks where I work mostly on flocks. I'm a maintainer of the educational controller projects. You can connect with me on Twitter at Sontouchi. So just a quick refresher for people who are just hearing about flocks or GitOps for the first time. This is GitHub's con, so I'm sure you have more talks, you know, delving deep into it. GitOps is an operations methodology. It's a way of deploying your applications and infrastructure where the entire system is described declaratively, just like with Kubernetes and its manifest. And this declarative manifest is stored in a version-controlled system such as Git. And flocks sits at number four, you know, software agents in short correctness and reconciled on the version. It flocks as a set of controllers that sits on your cluster. It pulls your defined declarative states from Git and then applies it on the cluster and periodically reconciles it to ensure that what you define in Git matches the states on the cluster. So it applies your deployments, your service accounts, other resources, which include secrets. So we want to GitOps everything. GitOps brings a lot of business value. It's, you know, increased velocities, you know, developers can focus on developing and makes it easy for the infrastructure team to set up. It gives repeatability. And we also want to do this for secrets, right? There's a benefits to managing secrets with GitOps. It gives increased security. Any changes to your secrets, whether accidental or malicious, you can be sure that they are going to be reverted within a reasonable time frame. I don't know if anyone has ever deleted, you know, a secret on a production cluster. If a secret gets deleted, it's going to be recreated. It also gives you an audit log since there's a version-controlled history of every change to the file. You can put in an approval process so that before any changes are made, you know, someone from a particular team has to approve, et cetera, et cetera. So all of this is great, right? But how do we store this files in Git since they contain sensitive information, right? You don't want just a container passwords, database connections, user names, whatever it might be, configuration files. You don't just want anyone who has access to, you know, your repository to be able to have access to the secrets. Yeah, so the answer is to encrypt. Flux enlist the help of two projects, Mozilla SOPS and Sealed Secrets from Bitnami Labs. This is the open source project. This is an example of a collaboration across projects in the open source piece. So for Sealed Secrets, Sealed Secrets has a dedicated controller that runs outside of Flux that is used to decrypt the secrets and it has a CUBE seal, a CLI called CUBE seal that is used to encrypt the secrets. So everything is, CUBE seal manages the secrets, it creates the secrets, you know, encrypts and decrypt. Everything just happens and you would have to deploy it into your costar. It doesn't come, you know, packaged in with Flux. You'd have to deploy it. So if you're already using CUBE seal, this is like a very handy solution. So you would use the CUBE seal CLI to encrypt your sensitive file in your secrets. CUBE seal CLI will encode the encrypted data in the Sealed Secrets custom resource. The CUBE seal controller recognizes this resource and when you push this file to it on its next run, Flux pulls it and applies it on the costar. It creates the Sealed Secrets custom resource. Then the CUBE seal controller notices the custom resource and then acts on it, you know, decrypts and then applies the secrets in the costar. So that's basically the flow, you know, encrypts using the CUBE seal CLI. This produces a custom resource file. It pushes to it. Flux pulls the file, applies it on the costar, and then the CUBE seal controller sees the custom resource, encrypts it and then applies it to the secrets. So Mozilla SOPS is also another project. Flux uses the Mozilla SOPS library. So, you know, it comes automatically with Flux. So it uses open source technologies such as OpenPGP and H. H is the modern, you know, perfect solution for encryption. So with this, it also integrates with various cloud providers like DCPKMS, Azure, Key Vault, you know, Haskell Vault. So, but with OpenPGP and H, you can pick your key format, you know, that doesn't get, meets CUBE seal. You don't get to pick your key format or everything. CUBE seal, you know, meets that decision for you because it does everything on its own. You can specify your key format, you know, you provide SOPS to the key and then it decrypts it for you, and it encrypts the file for you. So you would tell SOPS to only encrypt the data field because Flux would require you to only encrypt the data field. You'd encrypt the data field with SOPS here like, you know, passing in the required flag. You know, if it's GPG, you need to PGP, you need to pass in the fingerprint with DCPKMS, you know, the resource ID, you specify the correct flag and also tell SOPS to only encrypt a particular, you could give it a reject, so it's only encrypts particular fields. When SOPS has encrypted the file, you push it to Git. Now, Flux would pull the encrypted, before with parts of it encrypted, it's beforehand you specify in the customized custom resource that, you know, you're using Flux to encrypt the secrets. So Flux would check the file and if it's encrypted with SOPS, it will decrypt it using the SOPS library and then apply the, this will produce, after decryption, apply the secrets on the cluster. So this is one way, this is another way that Flux lets you store, you know, your secrets encrypted in your Git repository. So there's just, there's three steps here. We encrypt, push to Git, you know, normally you encrypt, decrypt, but because we are using Git up, yes, we push to Git first and have Flux pull the file and it had decrypted itself if you're using SOPS or, you know, the KIPSEO controller if you're using sealed secrets. So that's the clean image of that. So I've tried to keep it short and sweet because it's a lightning tough and trying to stick to 10 minutes. If you need for that guide, like we have docs on both of them. So if you take a look at the links. So also please do stop by our Flux booths. We are always looking forward to meeting new people interested in Flux or looking to know what we're up about. You know, there's the Flux booths online and there's one in acupuncture. Thank you for 10 minutes of your time. You can connect with me on Twitter and GitHub at Sontuchi-Ama. Thank you.