infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

sealed-secrets: Deploy Bitnami Sealed Secrets 

[Sealed Secrets] will allow us to store secret values in the Git
repository, since the actual secrets are encrypted and can only be
decrypted using the private key stored in the Kubernetes cluster.

I have been looking for a better way to deal with secrets for some time
now.  For one thing, having the secret files ignored by Git means they
only exist on my main desktop.  If I need to make changes to an
application from another machine, I have to not only clone the
repository, but also manually copy the secret files.  That sort of
makes my desktop a single point-of-failure.  I tried moving all the
secret files to another (private) repository and adding it as a
submodule, but Kustomize did not like that; it will only load files from
the current working directory, or another Kustomize project.  Having to
create two projects for each application, one for the secrets and one
for everything else, would be tedious and annoying.  I also considered
encrypting all the secret files with e.g. GnuPG and creating Make
recipies for each project to decrypt them before running `kubectl
apply`.  I eventually want to use Argo CD, though, so that prerequisite
step would make that a lot more complex.  Eventually, I discovered
[KSOPS] and *Sealed Secrets*.  KSOPS operates entirely on the client
side, and thus requires a plugin for Kustomize and/or Argo CD in order
to work, so it's not significantly different than the GnuPG/Make idea.
I like that Sealed Secrets does not require anything on the client side,
except when initially creating the manifests for the SealedSecret
objects, so Argo CD will "just work" without any extra tools or
configuration.

[Sealed Secrets]: https://github.com/bitnami-labs/sealed-secrets
[KSOPS]: https://github.com/viaduct-ai/kustomize-sops
dch-webhooks-secrets
Dustin 2023-10-13 18:34:01 -05:00
parent d943c936a7
commit 0592f450c4
2 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
sealed-secrets/README.md Normal file
View File

@ -0,0 +1,31 @@
# Sealed Secrets
[Sealed Secrets] is a tool for Kubernetes that allows administrators to
store secret data securely in manifest files. It is designed to solve
one of the most difficult problems with GitOps workflows: all Kubernetes
resources can be stored in YAML files in a Git repository, except for secrets.
*Sealed Secrets* works by encrypting the actual secret values using asymmetric
encryption; the `kubeseal` client encypts the data with the public key, and the
Sealed Secrets controller decrypts them using its private key. Administrators
only interact with SealedSecret objects, which can be committed to Git, shared
with other administrators, etc.
The Sealed Secrets controller can be installed easily:
```sh
kubectl apply -k sealed-secrets
```
To create new SealedSecret manifests, install the `kubeseal` command from
https://github.com/bitnami-labs/sealed-secrets/releases
```sh
kubectl --dry-run=client create secret generic \
-o yaml \
-n home-assistant mosquitto \
--from-file passwd=home-assistant/mosquitto.passwd \
| kubeseal -o yaml \
> home-assistant/secrets.yaml
```
[Sealed Secrets]: https://github.com/bitnami-labs/sealed-secrets#readme

5
sealed-secrets/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.1/controller.yaml