FedRAMP: Using AWS Secret Manager to improve security on Zero-to-JupyterHub-K8s

According to AWS: “Compared to native Kubernetes Secrets, using Secrets Manager has several advantages. First, it allows you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Second, it offers built-in secret rotation for several […]. It’s also extensible in that you can use it rotate other types of secrets. Lastly, it gives you the ability to control access to secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud, as well as third-party services and resources that run on-premises.”

Introduction - External Secrets Infrastructure

  1. ExternalSecrets are added in the cluster (make sure kube2iam is already installed as the nodes need to assume the role to encrypt/decrypt and retrieve secrets from AWS)
  2. Controller fetches ExternalSecrets using the Kubernetes API
  3. Controller uses ExternalSecrets to fetch secret data from external providers (e.g, AWS Secrets Manager)
  4. Controller manages insert/update/delete of Secrets
  5. Pods can access Secrets normally

Modifying jupyterhub templates to add possibility to include extraEnv as Secrets

  1. Full Path: jupyterhub/templates/hub/deployment.yaml
  2. Modify env tag in order to enable possibility to use Secrets on environment.
env:
            {{- if .Values.hub.extraEnvSecrets }}
            {{- .Values.hub.extraEnvSecrets | toYaml | trimSuffix "\n" | nindent 12 }}
            {{- end }}

Modifying helm values.yaml to add as many secrets as you need

 extraEnvSecrets:
    - name: extraenv_name1
      valueFrom:
        secretKeyRef:
          name: name-secrets1
          key: key1-secret1
    - name: extraenv_name1
      valueFrom:
        secretKeyRef:
          name: name-secrets1
          key: key2-secret1
    - name: extraenv_name2
      valueFrom:
        secretKeyRef: 
          name: name-secrets2
          key: key1-secret2
    - name: extraenv_name2
      valueFrom:
        secretKeyRef:
          name: name-secrets2
          key: key2-secret2

This avoids exposing passwords or client_secrets as plain text in values.yaml.

1 Like