Sealed Secrets
Overview¶
Sealed Secrets lets you store the Kubernetes secrets encrypted. The encrypted secrets can only be decrypted by the controller running in the target cluster.
Sealed Secrets is composed of two parts:
- A cluster-side controller / operator
- A client-side utility: kubeseal
The kubeseal utility uses asymmetric crypto to encrypt secrets that only the controller can decrypt.
These encrypted secrets are encoded in a SealedSecret resource.
What Will You Do¶
In this exercise,
- You will create a cluster blueprint with "Sealed Secrets" addon
- You will then apply this cluster blueprint to a Rafay managed cluster
Important
This tutorial describes the steps to create and use a Sealed Secrets based blueprint using the Rafay Console. The entire workflow can also be fully automated and embedded into an automation pipeline.
Assumptions¶
- You have already provisioned or imported a Kubernetes cluster using Rafay
Step 1: Download Sealed Secrets Manifest and Kubeseal client¶
In this example, we will be using SealedSecrets v0.13.1. Follow the below steps to download this release.
To download the controller:
curl -Lo sealed-secrets-controller.yaml https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.13.1/controller.yaml
To download kubeseal client on Linux:
curl -Lo kubeseal https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.13.1/kubeseal-linux-amd64
sudo install -m 755 kubeseal /usr/local/bin/kubeseal
To download kubeseal client on Mac:
curl -Lo kubeseal https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.13.1/kubeseal-darwin-amd64
sudo install -m 755 kubeseal /usr/local/bin/kubeseal
Step 2: Create Addon¶
- Login into the Rafay Console and navigate to your Project as an Org Admin or Infrastructure Admin
- Under Infrastructure, select "Namespaces" and create a new namespace called "kube-system"
- Select "Addons" and "Create" a new Addon called "sealed-secrets"
- Ensure that you select "k8s YAML" for type and select the namespace as "kube-system"
- Click CREATE to next step
- Select "New Version" and give it a name called "v0.13.1"
- Select Upload and chose the controller manifest downloaded from previous step.
- Click "SAVE CHANGES"
Step 3: Create Blueprint¶
Now, we are ready to assemble a custom cluster blueprint using this addon.
- Under Infrastructure, select "Blueprints"
- Create a new blueprint and give it a name such as "sealed-secrets"
- Select "New Version" and give it a version name. Ex: v0.13.1
- Under Add-Ons, select "ADD MORE" and choose the "sealed-secrets" addon created in Step 3.
- Click "SAVE CHANGES"
Step 4: Apply Blueprint¶
Now, we are ready to apply this blueprint to a cluster.
- Click on Options for the target Cluster in the Rafay Console
- Select "Update Blueprint" and select the "sealed-secrets" blueprint from the dropdown and for the version select "v0.13.1" from the dropdown.
- Click on "Save and Publish".
This will start the deployment of the addons configured in the "sealed-secrets" blueprint to the targeted cluster. The blueprint sync process can take a few minutes. Once complete, the cluster will display the current cluster blueprint details and whether the sync was successful or not.
Step 5: Verify Deployment¶
Users can optionally verify whether the correct resources have been created on the cluster.
- Click on the Kubectl button on the cluster to open a virtual terminal
kubectl get po -n kube-system
NAME READY STATUS RESTARTS AGE
sealed-secrets-controller-6c99898f67-m6jjf 1/1 Running 0 47m
Also make sure sealed secrets key got created as a secret in kube-system namespace.
kubectl get secrets -n kube-system
NAME TYPE DATA AGE
sealed-secrets-keyntspg kubernetes.io/tls 2 48m
Step 6: Encrypt Secrets using Sealed Secrets¶
Now that we have the Sealed secrets running in the cluster, we can encrypt the secrets using kubeseal client. To do this, kubeseal client needs access to the cluster to fetch the certificate every time you need to encrypt the secret. You can also get the certificate from the cluster and store it in your localdisk using the below command:
kubeseal --fetch-cert > sealed-secrets-cert.pem
Lets encrypt the below k8s secret using kubeseal.
apiVersion: v1
kind: Secret
metadata:
name: mysql-creds
namespace: demo
data:
password: dDg1eGIybXJtNQ==
Write the above contents to a file called mysql-secret.yaml. Execute the below command to encrypt the secret.
kubeseal < mysql-secret.yaml -o yaml > mysql-sealed-secret.yaml
Note
By default kubeseal gives json output. You can specify the yaml output format using "-o yaml" to kubeseal.
Your encrypted secret will look like this:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: mysql-creds
namespace: demo
spec:
encryptedData:
password: AgA8UIWPwPHKs5H8QV+MdeB3O8Jq13PHTNroj4OGYU1bBzbYW5FvS0qoR4dN7Yas0MwSWTdzkACjMSidEh4WE92h75YUc85/5DpIq75GJMLq2R02L2KUEDKU//swsl4r5c6NZjCgYwnxXOXbbcL+uE2TlsUpAqZYU7V6G0OkgRKWvZ7EjQoYaFEp1fUv/JqFCEQaUVCGy1ykHkQygIAUfS8DFgrAIdSglXPak5qZqwo6YE0HkVHdZt62bn3Tow402sw/gVBrRhm5XAnrEOFEKe6cSY+L97swXyE5kab39Xqy+ED78WlswWlQvbK02WzbDv/6M/7lmw7m3eDoINMcNXGIHD09WUGNF8JmuwytNg+wMwCqxJGNmWCpwOpWhkQ8i8EET6bHXb00ZcksLb8s0UzNL2N+JRuO+vibFAQcAyJ0aAm8Ie3Sq7WlnG9jXAslpiDKHhVQ0tVhWZSNOcbgL1Wyz2hpz3MDNgqr2ld7etIPbIisARYl5mmruTosu+EWDypLi+hjpOB1PCkQ8WB3hmftIrUdD1FdNBaNnEVTsfXQtgZ80iq29fKh24DJYzeqMy/+OXtxzfBbN3hi65gif73w0BUInk8wmcSrVHpPDLBItwpUaQaxs3wNMN7k+AJ+rgh8AY2CW2eWI+1qHewZSyqQhtOuRM6py+RgNF4FTZ6V4kzscPxVwk59cRCa2rZzvCzMqelYimf8q6ok
template:
metadata:
creationTimestamp: null
name: mysql-creds
namespace: demo
You can apply this Sealedsecret yaml to the cluster in the demo namespace.
kubectl apply -f mysql-sealed-secret.yaml -n demo
Once the Sealed Secret controller unseals this, you will see that Secret got created in the demo namespace.
Note
Sealed secrets has the following scopes:
- strict (default): the secret must be sealed with exactly the same name and namespace. These attributes become part of the encrypted data and thus changing name and/or namespace would lead to "decryption error".
- namespace-wide: you can freely rename the sealed secret within a given namespace.
- cluster-wide: the secret can be unsealed in any namespace and can be given any name.
Recap¶
Congratulations! You have successfully created a custom cluster blueprint with the "sealed-secret" addon and applied to a cluster.