Overview
Managing secrets securely in a GitOps workflow is a critical challenge. Storing plain Kubernetes secrets in a Git repository is risky because anyone with access to the repository can view them. Sealed Secrets, an open-source project by Bitnami, provides a way to encrypt secrets before storing them in Git, ensuring they remain secure.
Key Takeaways:
- Securely store Kubernetes secrets in a Git repository.
- Automate secret management using GitOps principles.
- Ensure secrets can only be decrypted by the Kubernetes cluster.
Step 1: Install Sealed Secrets Controller
The Sealed Secrets Controller runs in the Kubernetes cluster and is responsible for decrypting Sealed Secrets into regular Kubernetes secrets.
Install via Helm
helm repo add bitnami https://charts.bitnami.com/bitnami
helm install sealed-secrets bitnami/sealed-secrets --namespace kube-system
Verify installation:
kubectl get pods -n kube-system | grep sealed-secrets
kubectl get svc -n kube-system | grep sealed-secrets
Step 2: Install Kubeseal CLI
To encrypt secrets locally before committing them to Git, install the kubeseal CLI:
Linux Installation
wget https://github.com/bitnami-labs/sealed-secrets/releases/latest/download/kubeseal-linux-amd64 -O kubeseal
chmod +x kubeseal
sudo mv kubeseal /usr/local/bin/Overview
Verify installation:
kubeseal --version
Step 3: Create a Kubernetes Secret
Let’s create a secret for a database password.
Create a file named secret.yaml:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
namespace: default
type: Opaque
data:
DB_PASSWORD: cGFzc3dvcmQ= # Base64 encoded "password"
Apply the secret:
kubectl apply -f secret.yaml
Step 4: Encrypt the Secret Using Kubeseal
Use the kubeseal CLI to encrypt the secret so it can be safely stored in Git.
kubeseal --controller-name=sealed-secrets \
--controller-namespace=kube-system \
--format=yaml < secret.yaml > sealed-secret.yaml
The output sealed-secret.yaml will contain an encrypted version of the secret.
Example:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: my-secret
namespace: default
spec:
encryptedData:
DB_PASSWORD: AgA+...long_encrypted_value...==
Now, delete the original secret from the cluster:
kubectl delete secret my-secret
Step 5: Apply Sealed Secret to Kubernetes
Deploy the sealed secret to Kubernetes:
kubectl apply -f sealed-secret.yaml
The Sealed Secrets Controller will automatically decrypt it and create a regular Kubernetes secret.
Verify the secret is recreated:
kubectl get secrets
Step 6: Push to GitHub for GitOps
Now, let’s commit the sealed secret to GitHub so it can be managed in a GitOps workflow.
Initialize a Git Repository (If Not Already Done)
git init
git remote add origin https://github.com/ArvindRaja45/deploy.git
Add and Commit Sealed Secret
git add sealed-secret.yaml
git commit -m "Added sealed secret for GitOps"
git push origin main
Step 7: Automate Deployment with GitHub Actions
To deploy the sealed secret automatically, create a GitHub Actions workflow.
Create a new file: .github/workflows/deployment.yaml
Push the Workflow to GitHubname: Deploy Sealed Secret
on:
push:
branches:
- main
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up kubectl
uses: azure/setup-kubectl@v3
with:
version: 'latest'
- name: Configure Kubeconfig
run: echo "$KUBECONFIG_DATA" | base64 --decode > kubeconfig.yaml
- name: Deploy Sealed Secret
run: kubectl apply -f sealed-secret.yaml --kubeconfig=kubeconfig.yaml
Push the Workflow to GitHub
git add .github/workflows/deployment.yaml
git commit -m "Added GitHub Actions deployment workflow"
git push origin main
Conclusion
Using Sealed Secrets, we achieved:
- Secure secret management in GitOps workflows.
- Automated deployments with GitHub Actions.
- No plaintext secrets in Git repositories.
This setup ensures that secrets remain encrypted at rest, providing a secure and automated way to manage secrets in a Kubernetes environment.
Have you used Sealed Secrets in your GitOps workflow? Share your experience!
