avatarPavan Kumar

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

5244

Abstract

string">"<span class="hljs-variable">PRIVATEKEY</span>"</span> -<span class="hljs-keyword">out</span> <span class="hljs-string">"<span class="hljs-variable">PUBLICKEY</span>"</span> -subj <span class="hljs-string">"/CN=sealed-secret/O=sealed-secret"</span> </pre></div><div id="1e80"><pre>kubectl -n <span class="hljs-string">"<span class="hljs-variable">NAMESPACE</span>"</span> create<span class="hljs-built_in"> secret </span>tls <span class="hljs-string">"<span class="hljs-variable">SECRETNAME</span>"</span> <span class="hljs-attribute">--cert</span>=<span class="hljs-string">"<span class="hljs-variable">PUBLICKEY</span>"</span> <span class="hljs-attribute">--key</span>=<span class="hljs-string">"<span class="hljs-variable">PRIVATEKEY</span>"</span></pre></div><div id="2dff"><pre>kubectl -n <span class="hljs-string">"<span class="hljs-variable">NAMESPACE</span>"</span> label<span class="hljs-built_in"> secret </span><span class="hljs-string">"<span class="hljs-variable">SECRETNAME</span>"</span> sealedsecrets.bitnami.com/<span class="hljs-attribute">sealed-secrets-key</span>=active</pre></div><p id="7d23">Let us now deploy the sealed secret controller helm chart to our cluster using the same Makefile. This would now create all the components needed for sealed secrets to be functional.</p><div id="f769"><pre>make install<span class="hljs-number"></span><span class="hljs-keyword">sealed</span><span class="hljs-number"></span>secrets</pre></div><figure id="7801"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*jlM3CJOo1qMdG-1VkSKpxw.png"><figcaption>Image showing the sealed secrets components</figcaption></figure><figure id="d373"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*8CbXI9-bOdV-L6fS-1DhCg.png"><figcaption></figcaption></figure><p id="d281">So now we have our certificates ready to seal/unseal our secrets. You can see in the sealed secrets pod logs that it is picking the secret created by us. Additionally, you can also verify that the kubeseal utility is using the same key provided by us by executing the following command. You should find the md5sum value to be identical.</p><div id="5f7b"><pre>kubeseal --fetch-cert | <span class="hljs-built_in">md5sum</span> && <span class="hljs-built_in">md5sum</span> seal.crt</pre></div><div id="43ed"><pre><span class="hljs-number">33554</span>d<span class="hljs-number">5</span>ff<span class="hljs-number">564</span><span class="hljs-keyword">c</span><span class="hljs-number">8e4</span><span class="hljs-keyword">c</span><span class="hljs-number">52</span><span class="hljs-keyword">c</span><span class="hljs-number">2</span><span class="hljs-keyword">c</span><span class="hljs-number">66</span>fd<span class="hljs-number">3</span>b<span class="hljs-number">855</span>f - <span class="hljs-number">33554</span>d<span class="hljs-number">5</span>ff<span class="hljs-number">564</span><span class="hljs-keyword">c</span><span class="hljs-number">8e4</span><span class="hljs-keyword">c</span><span class="hljs-number">52</span><span class="hljs-keyword">c</span><span class="hljs-number">2</span><span class="hljs-keyword">c</span><span class="hljs-number">66</span>fd<span class="hljs-number">3</span>b<span class="hljs-number">855</span>f seal.crt</pre></div><h2 id="e716">Create a docker registry secret and Seal it with Kubeseal</h2><p id="89ee">Let us now create a secret and then seal it using kubeseal.</p><div id="c6bb"><pre>kubectl create<span class="hljs-built_in"> secret </span>docker-registry pavan-docker-creds <span class="hljs-attribute">--docker-username</span>=pavan <span class="hljs-attribute">--docker-password</span>=mypassword123 <span class="hljs-attribute">--docker-email</span>=[email protected] <span class="hljs-attribute">--dry-run</span>=client -o yaml | kubeseal -o yaml </pre></div><div id="0d34"><pre>###kubeseal -o yaml = Output the SealedSecrets <span class="hljs-keyword">in</span> YAML format.</pre></div><figure id="27fd"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*1dKba_-TLpsKEEH28NqdUg.png"><figcaption>Sealed secret</figcaption></figure><p id="c380">You can now push the secret into any of the SCM. Only the sealed secrets controller have the access to unseal the secret. So now whenever the sealed secret resource is applied it automatically creates the secret resource for you. This means that whenever the SealedSecrert resource is applied the controller automatically decrypts the sealed secret and convert that to a Kubernetes-based secret ( base 64 ).</p><div id="f969"><pre>kubectl create<span class="hljs-built_in"> secret </span>docker-registry pavan-docker-creds <span class="hljs-attribute">--docker-username</span>=pavan <span class="hljs-attribute">--docker-password</span>=mypassword123 <span class="hljs-attribute">--docker-email</span>=[email protected] <span class="hljs-attribute">--dry-run</span>=client -o yaml | kubeseal -o yaml | kubectl apply -f - </pre></div><figure id="6066"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*UKMuwGv6AsZvy6ScFmzimQ.png"><figcaption>The secret resource being created</figcaption></figure><p id="fcbd">Now if you clearly observe the ownerReferences of this secret it

Options

points to the SealedSecret created by us earlier.</p><figure id="773f"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*dRtNegri_gL3W82OE7gWdQ.png"><figcaption></figcaption></figure><p id="47d5">And now you can safely push your secrets to SCM. I have already pushed my secrets to GitHub using kubeseal and SealedSecrets. Are you doing the same?</p><h1 id="e237">Conclusion</h1><p id="3a7d">Thanks for reading my article. Hope you have liked it. Here are some of my other articles that may interest you.</p><h1 id="4d4b">Recommended</h1><div id="b2ed" class="link-block"> <a href="https://readmedium.com/introduction-to-jenkins-operator-f4cb7ebc2e0b"> <div> <div> <h2>Introduction to Jenkins Operator</h2> <div><h3>Getting started with Jenkins Operator in Kubernetes</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*tu7BdibLzRCUGJyf7YHO-Q.png)"></div> </div> </div> </a> </div><div id="4b7f" class="link-block"> <a href="https://readmedium.com/introduction-to-external-dns-in-kubernetes-654aa4cf38e6"> <div> <div> <h2>Introduction to External DNS in Kubernetes</h2> <div><h3>How to automatically create DNS records in Kubernetes using External DNS</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*d2HL-e6nFCnApv_hXnDS3Q.png)"></div> </div> </div> </a> </div><div id="735f" class="link-block"> <a href="https://readmedium.com/creating-a-gke-cluster-with-github-actions-dd34e2de50a6"> <div> <div> <h2>Creating a GKE Cluster with GitHub Actions</h2> <div><h3>Automating Kubernetes Cluster creation and Bootstrapping using GitHub Actions</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*UVzwlNQv096jzwxR00zWWQ.png)"></div> </div> </div> </a> </div><div id="117e" class="link-block"> <a href="https://pavan1999-kumar.medium.com/introduction-to-kustomize-97f990dc2f44"> <div> <div> <h2>Introduction to Kustomize</h2> <div><h3>How to use Kustomize to efficiently manage Your Kubernetes manifests.</h3></div> <div><p>pavan1999-kumar.medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*H9pz5XkillnNoORw.png)"></div> </div> </div> </a> </div><h1 id="60a0">Reference</h1><p id="f6da"><script data-name="”BMC-Widget”" data-cfasync="”false”" src="”<a" href="https://cdnjs.buymeacoffee.com/1.0.0/widget.prod.min.js">https://cdnjs.buymeacoffee.com/1.0.0/widget.prod.min.js</a>" data-id=”bettercallpavan” data-description=”Support me on Buy me a coffee!” data-message=”Thanks for visiting my medium. If you like my articled you can now buy me a book :) “ data-color=”#5F7FFF” data-position=”Right” data-x_margin=”18" data-y_margin=”18"></script></p><div id="248c" class="link-block"> <a href="https://github.com/bitnami-labs/sealed-secrets"> <div> <div> <h2>bitnami-labs/sealed-secrets</h2> <div><h3>Problem: "I can manage all my K8s config in git, except Secrets." Solution: Encrypt your Secret into a SealedSecret…</h3></div> <div><p>github.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*Ua6EML9MGe7Ot4gN)"></div> </div> </div> </a> </div><figure id="1ef4"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*Piks8Tu6xUYpF4DU"><figcaption></figcaption></figure><p id="e5d4">👋 <a href="https://faun.dev/join"><b>Join FAUN today and receive similar stories each week in your inbox!</b></a><b> </b><b>Get your weekly dose of the must-read tech stories, news, and tutorials.</b></p><p id="32cd"><b>Follow us on <a href="https://twitter.com/joinfaun">Twitter</a> </b>🐦<b> and <a href="https://www.facebook.com/faun.dev/">Facebook</a> </b>👥<b> and <a href="https://instagram.com/fauncommunity/">Instagram</a> </b>📷 <b>and join our <a href="https://www.facebook.com/groups/364904580892967/">Facebook</a> and <a href="https://www.linkedin.com/company/faundev">Linkedin</a> Groups </b>💬</p><figure id="193b"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*_cT0_laE4iPcqW1qrbstAg.gif"><figcaption></figcaption></figure><h2 id="3062">If this post was helpful, please click the clap 👏 button below a few times to show your support for the author! ⬇</h2></article></body>

Introduction to Bitnami Sealed Secrets in Kubernetes

How to store your secrets in GitHub using Sealed Secrets and Kubeseal

Nowadays in the Kubernetes era, all of our manifests are stored in an SCM tool like GitHub, Gitlab, BitBucket, etc. But where are your Kubernetes secrets stored? Do you store them in any SCM tool? If yes, then you may probably want to delete them from SCM right away. Because Kubernetes secrets are base64 encoded. Anyone knowing this command base64 -d can easily decode your secrets. So where do you want to store your secrets now? May be store all the manifests in GitHub and store the secrets elsewhere? And then write a wrapper for that and pull the files from multiple places? Or maybe manually create all the secrets? What if you forgot a value for one of the secrets? What if you lost your machine and all the secrets are exposed? To avoid all this here comes the life savior SealedSecrets. The kubeseal is a utility that would basically convert the secrets to SealedSecrets which means that the secret sealed by the kubeseal utility can only be decrypted by the controller in the Kubernetes cluster from which the SealedSecret resource has been created. Sounds Interesting? Let us explore more about Kubeseal and SealedSecrets in this article.

Sealing the secrets

What is the entire story all about? (TLDR)

  1. Install kubeseal and sealed secrets in our Kubernetes Cluster.
  2. Create a docker registry secret.
  3. Seal the Docker Registry secret using Kubeseal ( With our own certificates ) and create a SealedSecret out of it.
  4. Finally storing the secrets in GitHub

Prerequisites

  1. A Kubernetes cluster ( Can be either On-Prem, AKS, EKS, GKE, Kind ).
  2. GitHub Account ( Optional ).

Installing kubeseal and sealed secrets

I have written a Makefile for the purpose of easier installation. This makefile contains targets for installing helm, kubeseal, and SealedSecrets helm chart.

Let us now download this Makefile to install all the components in our Kubernetes cluster.

curl -s https://gist.githubusercontent.com/pavan-kumar-99/e1a2a88c467fd470d9c98a43341c0b9a/raw/ceadb9fe21c53d605be895df24585696f587858f/Makefile
make install_kubeseal

This would now install the kubeseal utility in your machine. Before installing sealed secrets let us understand how the sealed secrets controller and kubeseal works. kubeseal uses asymmetric crypto to encrypt secrets that only the controller can decrypt. The controller generates its own certificates when is deployed for the first time, it also manages the renewal for you. kubeseal then uses the default certificate to seal your secrets. However, you can also use your own certificates and encrypt the secrets using those certificates. Alright !! Enough of the theory, let us now get into action.

Before we install the sealed secrets controller let us first create our certificates for the controller to seal our secrets.

export PRIVATEKEY="seal.key"
export PUBLICKEY="seal.crt"
export NAMESPACE="kube-system"
export SECRETNAME="seal-cert"
openssl req -x509 -nodes -newkey rsa:4096 -keyout "$PRIVATEKEY" -out "$PUBLICKEY" -subj "/CN=sealed-secret/O=sealed-secret"

kubectl -n "$NAMESPACE" create secret tls "$SECRETNAME" --cert="$PUBLICKEY" --key="$PRIVATEKEY"
kubectl -n "$NAMESPACE" label secret "$SECRETNAME" sealedsecrets.bitnami.com/sealed-secrets-key=active

Let us now deploy the sealed secret controller helm chart to our cluster using the same Makefile. This would now create all the components needed for sealed secrets to be functional.

make install_sealed_secrets
Image showing the sealed secrets components

So now we have our certificates ready to seal/unseal our secrets. You can see in the sealed secrets pod logs that it is picking the secret created by us. Additionally, you can also verify that the kubeseal utility is using the same key provided by us by executing the following command. You should find the md5sum value to be identical.

kubeseal --fetch-cert | md5sum && md5sum seal.crt
33554d5ff564c8e4c52c2c66fd3b855f  -
33554d5ff564c8e4c52c2c66fd3b855f  seal.crt

Create a docker registry secret and Seal it with Kubeseal

Let us now create a secret and then seal it using kubeseal.

kubectl create secret docker-registry pavan-docker-creds --docker-username=pavan --docker-password=mypassword123 --docker-email[email protected] --dry-run=client -o yaml | kubeseal -o yaml 
###kubeseal -o yaml = Output the SealedSecrets in YAML format.
Sealed secret

You can now push the secret into any of the SCM. Only the sealed secrets controller have the access to unseal the secret. So now whenever the sealed secret resource is applied it automatically creates the secret resource for you. This means that whenever the SealedSecrert resource is applied the controller automatically decrypts the sealed secret and convert that to a Kubernetes-based secret ( base 64 ).

kubectl create secret docker-registry pavan-docker-creds --docker-username=pavan --docker-password=mypassword123 --docker-email[email protected] --dry-run=client -o yaml | kubeseal -o yaml | kubectl apply -f -
The secret resource being created

Now if you clearly observe the ownerReferences of this secret it points to the SealedSecret created by us earlier.

And now you can safely push your secrets to SCM. I have already pushed my secrets to GitHub using kubeseal and SealedSecrets. Are you doing the same?

Conclusion

Thanks for reading my article. Hope you have liked it. Here are some of my other articles that may interest you.

Recommended

Reference

👋 Join FAUN today and receive similar stories each week in your inbox! Get your weekly dose of the must-read tech stories, news, and tutorials.

Follow us on Twitter 🐦 and Facebook 👥 and Instagram 📷 and join our Facebook and Linkedin Groups 💬

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author! ⬇

Kubernetes
DevOps
Secrets
Devsecops
Github
Recommended from ReadMedium
avatarEmircan Agac
How to Use Velero: Installation, Backup, and Restore Guide with Minio

Backup & Restore with VELERO

5 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarAlan Blackmore
Visualizing Hybrid Cloud Architecture with Hava

Introduction

3 min read
avatarMartin Koníček
Simplifying Kubernetes Secrets Management with SOPS: My Technical Journey to an AI-Powered Solution

Embarking on a journey to streamline the management of Kubernetes secrets was no small feat. My exploration led me to Mozilla’s SOPS…

3 min read
avatarJimin
How to Manage Environment Variables in Helm Charts: A Comprehensive Guide

Helm is renowned not only as a package manager for Kuberentes but also for its robust templating and customization capabilities. These…

12 min read
avatarSamet Arslantürk
Managing Kubernetes Secrets Dynamically from Vault via External Secrets Operator

Hello, I hope everything is going well in your life.

7 min read