Skip to content

Latest commit

 

History

History
87 lines (59 loc) · 2.58 KB

08-sealed-secrests.md

File metadata and controls

87 lines (59 loc) · 2.58 KB
Raw

Manage Secrets using Sealed Secrets

So far it has been established that all components must be registered in the code repository as the only reliable source to establish the changes, but what about the Secrets objects?

Secrets cannot be managed in the same way. Before being added to version control it is important to protect the information inside. To achieve this objective, the service Sealed Secrets developed by Bitnami has been deployed in the cluster.

kubectl -n admin get pods

NAME                              READY   STATUS    RESTARTS   AGE
sealed-secrets-769745f6db-4cmkb   1/1     Running   0          59m

The following steps will help you create a Secret in Kubernetes while maintaining the GitOps workflow.

Install kubeseal client

kubeseal is the tool that will allow you to encrypt Secret information before storing it in the version controller.

It is necessary to have kubeseal installed in a version equal to or greater than v0.11.0.

Use the following link to access the installation instructions: https://github.com/bitnami-labs/sealed-secrets/releases/tag/v0.11.0

kubeseal --version \
--controller-namespace=admin \
--controller-name=sealed-secrets

kubeseal version: v0.11.0

Get public key

When starting this service, the public and private key that will be used during the encryption processes is generated.

Use the following command line to obtain the public key:

kubeseal --fetch-cert \
--controller-namespace=admin \
--controller-name=sealed-secrets \
> pub-cert.pem

Generate a Kubernetes Secret using kubectl:

kubectl -n client-def create secret generic magic-text \
--from-literal incantation=kubernetes \
--dry-run \
-o json > magic-text.json

Encrypt the Secret using kubeseal:

kubeseal --format=yaml --cert=pub-cert.pem < magic-text.json > magic-text.yaml

Check that the magic-text.yaml file contains the encrypted information and add it to the GitHub repository.

mv magic-text.yaml namespaces/client-def
git add namespaces/client-def/magic-text.yaml
git commit -sm 'Add magic text secret'
git push origin master

Use fluxctl to synchronize the repository with the cluster:

fluxctl sync --k8s-fwd-ns flux-system

Now list the Secrets present in the namespace client-def:

kubectl -n client-def get secrets

Check that the value of the text stored in the Secret is correct:

kubectl -n client-def get secrets magic-text -o jsonpath='{.data.incantation}' | base64 --decode

Next: Cleaning Up