What Is Aegis?
Aegis is a Kubernetes-native, lightweight secrets manager that keeps your secrets secret. With Aegis, you can rest assured that your sensitive data is always secure and protected.
Aegis is perfect for securely storing arbitrary configuration information at a central location and securely dispatching it to workloads.
By leveraging Kubernetes security primitives, SPIRE, and strong, industry-standard encryption, Aegis ensures that your secrets are only accessible to trusted and authorized workloads. Aegis’s Cloud Native—secure by default—foundation helps you safeguard your business and protect against data breaches.
Check out Aegis’s GitHub for details.
See Aegis in Action
If you haven’t watched this introductory video yet, now might be a good time 🙂.
After watching it, you may want to watch the following video demonstrates further flexibility of Aegis as a Secrets Manager:
Wait, Why Not Use Kubernetes Secret
s?
In Kubernetes, secrets can be stored and managed as a resource type called
Secret
. By default, Kubernetes can store key-value pairs
of sensitive data within a specific namespace in the cluster.
These secrets can be fed into containers as either environment variables
or files using a Kubernetes volume. However, the default solution may not be
enough to securely manage secrets, as it can be challenging to encrypt the
YAML
files that define the secrets and securely store them.
With Aegis, you don’t have to store secrets in your source code.
In addition, Aegis…
- Has the ability to change secrets dynamically at runtime without having to reboot your workloads,
- Keeps encrypted backups of your secrets,
- Records last creation and last update timestamps for your secrets,
- Has a version history for your secrets,
- Stores backups of your secrets encrypted at rest,
- and more.
These are not achievable by using Kubernetes Secret
s only.
Where NOT to Use Aegis
Aegis is not a Database, nor is it a distributed caching layer. Of course, you may tweak it to act like one if you try hard enough, yet, that is generally not a good use of the tool.
Aegis is suitable for storing secrets and dispatching them; however, it is a terrible idea to use it as a centralized database to store everything but the kitchen sink.
Use Aegis to store service keys, database credentials, access tokens, etc.
How Do I Get the Root Token? Where Do I Store It?
Unlike some other secret vaults, you do not need an admin token to operate Aegis 🙂.
Benefits of this approach is: It helps the Ops team #sleepmore
, since
everything is automated, and you won’t have to manually unlock Aegis upon
a system crash, for example.
However, there’s no free lunch, and as the operator of a production system, your homework is to secure access to your cluster. Check out the Production Deployment Guidelines for further instructions about hardening your cluster to securely use Aegis.
Terminology: A Tale of Two Secrets
There are two kinds of secrets mentioned throughout this documentation:
- Secrets that are stored in Aegis Safe: When discussing these, they will
be used like a regular word “secret” or, emphasized “secret”; however,
you will never see them in
monotype text
. - The other kind of secret is Kubernetes
Secret
objects. Those types will be explicitly mentioned as “KubernetesSecret
s” in the documentation.
We hope this will clarify any confusion going forward.
Installation
First, ensure that you have sufficient administrative rights on your
Kubernetes cluster. Then create a workspace folder
(such as $HOME/Desktop/WORKSPACE
) and clone the project.
And finally execute ./hack/install.sh
as follows.
mkdir $HOME/Desktop/WORKSPACE
export $WORKSPACE=$HOME/Desktop/WORKSPACE
cd $WORKSPACE
git clone https://github.com/shieldworks/aegis
cd aegis
./hack/install.sh
Verifying Installation
To verify installation, check out the aegis-system
namespace:
kubectl get deployment -n aegis-system
# Output:
#
# NAME READY UP-TO-DATE AVAILABLE
# aegis-safe 1/1 1 1
# aegis-sentinel 1/1 1 1
That’s it. You are all set 🤘.
Uninstalling Aegis
Uninstallation can be done by running a script:
cd $WORKSPACE/aegis
./hack/uninstall.sh
Next Steps
Since you have Aegis up and running, here is a list of topics that you can explore next:
- How to Register Secrets to A Workload Using Aegis
- Aegis Go SDK
- Aegis Sentinel CLI Documentation
- A Deeper Dive into Aegis Architecture
In addition, these topics might pique your interest too:
To fine-tune your Aegis cluster, use them in production or learn more about the underlying technologies Aegis uses, the following links can help:
- Aegis Production Deployment Guidelines
- Configuring Aegis
- Aegis Design Decisions
- Core Technologies Aegis Leverages
If you want to develop Aegis on your local development environment, there is a guide for that too:
If you have comments, suggestions, and ideas to share; or if you have found a bug; or if you want to contribute to Aegis, these links might be what you are looking for:
Thanks ❤️
Hope you enjoy using Aegis as much as we do and find it helpful
in making your ops teams #sleepmore
. May the source be with you 🦄.