Skip to content

Sealed Secrets

Overview

Sealed Secrets lets you store the Kubernetes secrets encrypted. The encrypted secrets can only be decrypted by the controller running in the target cluster.

Sealed Secrets is composed of two parts:

  • A cluster-side controller / operator
  • A client-side utility: kubeseal

The kubeseal utility uses asymmetric crypto to encrypt secrets that only the controller can decrypt.

These encrypted secrets are encoded in a SealedSecret resource.

What Will You Do

In this exercise,

  • You will create a cluster blueprint with "Sealed Secrets" addon
  • You will then apply this cluster blueprint to a Rafay managed cluster

Important

This tutorial describes the steps to create and use a Sealed Secrets based blueprint using the Rafay Console. The entire workflow can also be fully automated and embedded into an automation pipeline.

Assumptions

  • You have already provisioned or imported a Kubernetes cluster using Rafay

Step 1: Download Sealed Secrets Manifest and Kubeseal client

In this example, we will be using SealedSecrets v0.13.1. Follow the below steps to download this release.

To download the controller:

curl -Lo sealed-secrets-controller.yaml https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.13.1/controller.yaml

To download kubeseal client on Linux:

curl -Lo kubeseal https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.13.1/kubeseal-linux-amd64
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

To download kubeseal client on Mac:

curl -Lo kubeseal https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.13.1/kubeseal-darwin-amd64
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

Step 2: Create Addon

  • Login into the Rafay Console and navigate to your Project as an Org Admin or Infrastructure Admin
  • Under Infrastructure, select "Namespaces" and create a new namespace called "kube-system"
  • Select "Addons" and "Create" a new Addon called "sealed-secrets"
  • Ensure that you select "k8s YAML" for type and select the namespace as "kube-system"
  • Click CREATE to next step
  • Select "New Version" and give it a name called "v0.13.1"
  • Select Upload and chose the controller manifest downloaded from previous step.
  • Click "SAVE CHANGES"

Create Sealed Secrets addon

Step 3: Create Blueprint

Now, we are ready to assemble a custom cluster blueprint using this addon.

  • Under Infrastructure, select "Blueprints"
  • Create a new blueprint and give it a name such as "sealed-secrets"
  • Select "New Version" and give it a version name. Ex: v0.13.1
  • Under Add-Ons, select "ADD MORE" and choose the "sealed-secrets" addon created in Step 3.
  • Click "SAVE CHANGES"

Create Custom Blueprint

Step 4: Apply Blueprint

Now, we are ready to apply this blueprint to a cluster.

  • Click on Options for the target Cluster in the Rafay Console
  • Select "Update Blueprint" and select the "sealed-secrets" blueprint from the dropdown and for the version select "v0.13.1" from the dropdown.
  • Click on "Save and Publish".

This will start the deployment of the addons configured in the "sealed-secrets" blueprint to the targeted cluster. The blueprint sync process can take a few minutes. Once complete, the cluster will display the current cluster blueprint details and whether the sync was successful or not.

Step 5: Verify Deployment

Users can optionally verify whether the correct resources have been created on the cluster.

  • Click on the Kubectl button on the cluster to open a virtual terminal
kubectl get po -n kube-system
NAME                                         READY   STATUS    RESTARTS   AGE
sealed-secrets-controller-6c99898f67-m6jjf   1/1     Running   0          47m

Also make sure sealed secrets key got created as a secret in kube-system namespace.

kubectl get secrets -n kube-system
NAME                                             TYPE                                  DATA   AGE
sealed-secrets-keyntspg                          kubernetes.io/tls                     2      48m

Step 6: Encrypt Secrets using Sealed Secrets

Now that we have the Sealed secrets running in the cluster, we can encrypt the secrets using kubeseal client. To do this, kubeseal client needs access to the cluster to fetch the certificate every time you need to encrypt the secret. You can also get the certificate from the cluster and store it in your localdisk using the below command:

kubeseal --fetch-cert > sealed-secrets-cert.pem

Lets encrypt the below k8s secret using kubeseal.

apiVersion: v1
kind: Secret
metadata:
  name: mysql-creds
  namespace: demo
data:
  password: dDg1eGIybXJtNQ==

Write the above contents to a file called mysql-secret.yaml. Execute the below command to encrypt the secret.

kubeseal < mysql-secret.yaml -o yaml > mysql-sealed-secret.yaml

Note

By default kubeseal gives json output. You can specify the yaml output format using "-o yaml" to kubeseal.

Your encrypted secret will look like this:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: mysql-creds
  namespace: demo
spec:
  encryptedData:
    password: AgA8UIWPwPHKs5H8QV+MdeB3O8Jq13PHTNroj4OGYU1bBzbYW5FvS0qoR4dN7Yas0MwSWTdzkACjMSidEh4WE92h75YUc85/5DpIq75GJMLq2R02L2KUEDKU//swsl4r5c6NZjCgYwnxXOXbbcL+uE2TlsUpAqZYU7V6G0OkgRKWvZ7EjQoYaFEp1fUv/JqFCEQaUVCGy1ykHkQygIAUfS8DFgrAIdSglXPak5qZqwo6YE0HkVHdZt62bn3Tow402sw/gVBrRhm5XAnrEOFEKe6cSY+L97swXyE5kab39Xqy+ED78WlswWlQvbK02WzbDv/6M/7lmw7m3eDoINMcNXGIHD09WUGNF8JmuwytNg+wMwCqxJGNmWCpwOpWhkQ8i8EET6bHXb00ZcksLb8s0UzNL2N+JRuO+vibFAQcAyJ0aAm8Ie3Sq7WlnG9jXAslpiDKHhVQ0tVhWZSNOcbgL1Wyz2hpz3MDNgqr2ld7etIPbIisARYl5mmruTosu+EWDypLi+hjpOB1PCkQ8WB3hmftIrUdD1FdNBaNnEVTsfXQtgZ80iq29fKh24DJYzeqMy/+OXtxzfBbN3hi65gif73w0BUInk8wmcSrVHpPDLBItwpUaQaxs3wNMN7k+AJ+rgh8AY2CW2eWI+1qHewZSyqQhtOuRM6py+RgNF4FTZ6V4kzscPxVwk59cRCa2rZzvCzMqelYimf8q6ok
  template:
    metadata:
      creationTimestamp: null
      name: mysql-creds
      namespace: demo

You can apply this Sealedsecret yaml to the cluster in the demo namespace.

kubectl apply -f mysql-sealed-secret.yaml -n demo

Once the Sealed Secret controller unseals this, you will see that Secret got created in the demo namespace.

Note

Sealed secrets has the following scopes: 

- strict (default): the secret must be sealed with exactly the same name and namespace. These attributes become part of the encrypted data and thus changing name and/or namespace would lead to "decryption error".
- namespace-wide: you can freely rename the sealed secret within a given namespace.
- cluster-wide: the secret can be unsealed in any namespace and can be given any name.

Recap

Congratulations! You have successfully created a custom cluster blueprint with the "sealed-secret" addon and applied to a cluster.