Sealed Secrets

by  Bitnami Labs

Sealed Secrets is a way to safely store encrypted secrets inside Git repositories that can only be decrypted by the controller running in the target cluster. The controller will transparently convert sealed secrets into regular Kubernetes secrets for workloads to consume.

TL;DR:

  • Installing, updating or removing follows Kubestack's GitOps flow.
  • Instructions assume the default repository layout.
  • Bases can be consumed as-is or customized.
  • Step-by-step instructions are framework specific but bases can be used independently.

Install

  1. Vendor the base

    # Run these commands from the root of your Kubestack infra repository
    wget https://storage.googleapis.com/catalog.kubestack.com/sealed-secrets-v0.13.1-kbst.0.zip
    unzip -d manifests/bases/ sealed-secrets-v0.13.1-kbst.0.zip
    rm sealed-secrets-v0.13.1-kbst.0.zip
  2. Include resource in apps overlay

    cd manifests/overlays/apps
    kustomize edit add resource ../../bases/sealed-secrets/base
  3. Commit and push

    cd -
    git checkout -b add-sealed-secrets
    git add manifests/bases/sealed-secrets manifests/overlays/apps/kustomization.yaml
    git commit -m "Add sealed-secrets v0.13.1-kbst.0 base"
    git push origin add-sealed-secrets
  4. Review PR and merge

    Finally, review and merge the PR into master. Once it's been successfully applied against the Ops-Cluster set a prod-deploy tag to also apply the change against the Apps-Cluster.

Update

To update the operator delete the previously vendored base and then vendor the new version.

  1. Delete the previous vendored version

    # Run these commands from the root of your Kubestack infra repository
    rm -r manifests/bases/sealed-secrets
  2. Vendor the new version

    # Run these commands from the root of your Kubestack infra repository
    wget https://storage.googleapis.com/catalog.kubestack.com/sealed-secrets-v0.13.1-kbst.0.zip
    unzip -d manifests/bases/ sealed-secrets-v0.13.1-kbst.0.zip
    rm sealed-secrets-v0.13.1-kbst.0.zip
  3. Commit and push

    git checkout -b update-sealed-secrets
    git add manifests/bases/sealed-secrets
    git commit -m "Update sealed-secrets base to v0.13.1-kbst.0"
    git push origin update-sealed-secrets

Remove

Operators often create resources based on custom objects. When removing an operator, follow a two-step process to ensure operator provisioned resources are purged properly.

  1. Remove all the operator's custom objects.
  2. Once the operator had time to de-provision all resources it created, follow the instructions below to remove the operator itself.
  1. Remove resource from apps overlay

    cd manifests/overlays/apps
    kustomize edit remove resource ../../bases/sealed-secrets/base
  2. Delete the vendored base from your repository

    cd -
    # Run these commands from the root of your Kubestack infra repository
    rm -r manifests/bases/sealed-secrets
  3. Commit and push

    git checkout -b remove-sealed-secrets
    git add manifests/bases/sealed-secrets
    git commit -m "Remove sealed-secrets base"
    git push origin remove-sealed-secrets