infra

History

Dustin 0592f450c4 sealed-secrets: Deploy Bitnami Sealed Secrets [Sealed Secrets] will allow us to store secret values in the Git repository, since the actual secrets are encrypted and can only be decrypted using the private key stored in the Kubernetes cluster. I have been looking for a better way to deal with secrets for some time now. For one thing, having the secret files ignored by Git means they only exist on my main desktop. If I need to make changes to an application from another machine, I have to not only clone the repository, but also manually copy the secret files. That sort of makes my desktop a single point-of-failure. I tried moving all the secret files to another (private) repository and adding it as a submodule, but Kustomize did not like that; it will only load files from the current working directory, or another Kustomize project. Having to create two projects for each application, one for the secrets and one for everything else, would be tedious and annoying. I also considered encrypting all the secret files with e.g. GnuPG and creating Make recipies for each project to decrypt them before running `kubectl apply`. I eventually want to use Argo CD, though, so that prerequisite step would make that a lot more complex. Eventually, I discovered [KSOPS] and Sealed Secrets. KSOPS operates entirely on the client side, and thus requires a plugin for Kustomize and/or Argo CD in order to work, so it's not significantly different than the GnuPG/Make idea. I like that Sealed Secrets does not require anything on the client side, except when initially creating the manifests for the SealedSecret objects, so Argo CD will "just work" without any extra tools or configuration. [Sealed Secrets]: https://github.com/bitnami-labs/sealed-secrets [KSOPS]: https://github.com/viaduct-ai/kustomize-sops	2023-10-13 18:34:01 -05:00
..
README.md	sealed-secrets: Deploy Bitnami Sealed Secrets	2023-10-13 18:34:01 -05:00
kustomization.yaml	sealed-secrets: Deploy Bitnami Sealed Secrets	2023-10-13 18:34:01 -05:00

Dustin 0592f450c4 sealed-secrets: Deploy Bitnami Sealed Secrets

[Sealed Secrets] will allow us to store secret values in the Git
repository, since the actual secrets are encrypted and can only be
decrypted using the private key stored in the Kubernetes cluster.

I have been looking for a better way to deal with secrets for some time
now.  For one thing, having the secret files ignored by Git means they
only exist on my main desktop.  If I need to make changes to an
application from another machine, I have to not only clone the
repository, but also manually copy the secret files.  That sort of
makes my desktop a single point-of-failure.  I tried moving all the
secret files to another (private) repository and adding it as a
submodule, but Kustomize did not like that; it will only load files from
the current working directory, or another Kustomize project.  Having to
create two projects for each application, one for the secrets and one
for everything else, would be tedious and annoying.  I also considered
encrypting all the secret files with e.g. GnuPG and creating Make
recipies for each project to decrypt them before running `kubectl
apply`.  I eventually want to use Argo CD, though, so that prerequisite
step would make that a lot more complex.  Eventually, I discovered
[KSOPS] and *Sealed Secrets*.  KSOPS operates entirely on the client
side, and thus requires a plugin for Kustomize and/or Argo CD in order
to work, so it's not significantly different than the GnuPG/Make idea.
I like that Sealed Secrets does not require anything on the client side,
except when initially creating the manifests for the SealedSecret
objects, so Argo CD will "just work" without any extra tools or
configuration.

[Sealed Secrets]: https://github.com/bitnami-labs/sealed-secrets
[KSOPS]: https://github.com/viaduct-ai/kustomize-sops

2023-10-13 18:34:01 -05:00

README.md

sealed-secrets: Deploy Bitnami Sealed Secrets

2023-10-13 18:34:01 -05:00

kustomization.yaml

sealed-secrets: Deploy Bitnami Sealed Secrets

2023-10-13 18:34:01 -05:00

README.md

Sealed Secrets

Sealed Secrets is a tool for Kubernetes that allows administrators to store secret data securely in manifest files. It is designed to solve one of the most difficult problems with GitOps workflows: all Kubernetes resources can be stored in YAML files in a Git repository, except for secrets. Sealed Secrets works by encrypting the actual secret values using asymmetric encryption; the kubeseal client encypts the data with the public key, and the Sealed Secrets controller decrypts them using its private key. Administrators only interact with SealedSecret objects, which can be committed to Git, shared with other administrators, etc.

The Sealed Secrets controller can be installed easily:

kubectl apply -k sealed-secrets

To create new SealedSecret manifests, install the kubeseal command from https://github.com/bitnami-labs/sealed-secrets/releases

kubectl --dry-run=client create secret generic \
    -o yaml \
    -n home-assistant mosquitto \
    --from-file passwd=home-assistant/mosquitto.passwd \
    | kubeseal -o yaml \
    > home-assistant/secrets.yaml