Ondat backs Trousseau secrets manager for Kubernetes as open source project goes live

Kubernetes stateful app platform supplier Ondat is helping to protect sensitive data in containerised environments with the open source Trousseau product safeguarding the keys needed to access the data.

There is no standard way in the Kubernetes world to protect access to sensitive (secret) data, with the result that many have composed their own ways. With enterprises using Kubernetes to run more and more stateful applications, safeguarding sensitive data is becoming more important.

The project lead for Trousseau is Ondat principal cloud architect Romuald Vandepoel, who said in a statement: “There have been previous projects that attempted to solve this problem, but they required adding lots of components. Naturally, security teams didn’t like that approach because it introduced additional complexity making security more difficult. Secrets management has always been one of the most difficult issues in Kubernetes and Trousseau Vault integration provides the long-sought answer to that problem.”

Ondat diagram

Trousseau uses Kubernetes etcd to store API object definitions and states. The Kubernetes secrets are shipped into the etcd key-value store database using an in-flight envelope encryption scheme with a remote transit key saved in a key management system (KMS).

Secrets protected and encrypted with Trousseau and its native Kubernetes integration can connect with a KMS to secure database credentials, a configuration file or Transport Layer Security (TLS) certificate that contains critical information and is accessible by an application using the standard Kubernetes API primitives.

Any user/workload can leverage the native Kubernetes way to store and access secrets in a safe way by plugging into any KMS provider, like Hashicorp Vault (Community and Enterprise editions), using the Kubernetes KMS provider framework. Users can transition among Kubernetes platforms using the consistent Kubernetes API.

Trousseau is currently being rolled out in a production customer implementation on Suse Rancher Kubernetes Engine 2, leveraging Ondat as the data management platform, along with Hashicorp Vault. 

For more information, read How to keep a secret secret within Kubernetes, and join the Data on Kubernetes Meetup Unravel the Key to Kubernetes Secrets workshop on February 16.

The project is maintained by Trousseau-io.