Sealed Secrets
Terraform module for Kubernetes

Sealed Secrets is a way to safely store encrypted secrets inside Git repositories that can only be decrypted by the controller running in the target cluster. The controller will transparently convert sealed secrets into regular Kubernetes secrets for workloads to consume.

This Terraform module provisions Sealed Secrets on Kubernetes. It fully integrates the Kubernetes resources into the Terraform workflow and allows configuring Sealed Secrets using native Terraform syntax.

The Sealed Secrets module is continuously updated and tested when new upstream versions are released.

TL;DR:

  • Call the module once per desired target cluster.
  • The provider alias you pass into the module determines the cluster.
  • Customize the Kubernetes resources per environment using Terraform syntax.

Use the module

To provision the Sealed Secrets Terraform module on a Kubernetes cluster, call the module, set source and version, and pass an aliased kustomization provider into the module. The provider configuration determines what cluster the Kuberneters resources are provisioned on. Framework documentation includes a complete example of how the kubeconfig output of a cluster module can be used to configure a kustomization provider alias.

module "eks_zero_sealed_secrets" {
providers = {
kustomization = kustomization.eks_zero
}
source = "kbst.xyz/catalog/sealed-secrets/kustomization"
version = "0.18.0-kbst.0"
}
module "aks_zero_sealed_secrets" {
providers = {
kustomization = kustomization.aks_zero
}
source = "kbst.xyz/catalog/sealed-secrets/kustomization"
version = "0.18.0-kbst.0"
}
module "gke_zero_sealed_secrets" {
providers = {
kustomization = kustomization.gke_zero
}
source = "kbst.xyz/catalog/sealed-secrets/kustomization"
version = "0.18.0-kbst.0"
}

Customize resources

All Kubestack cluster service modules support the same module attributes and per environment configuration. The module configuration is a Kustomization set in the per environment configuration map following Kubestack's inheritance model.

This example overwrites the metadata.namespace of all Kubernetes resources provisioned by the Sealed Secrets module using a Terraform variable.

module "example_sealed_secrets" {
providers = {
kustomization = kustomization.example
}
source = "kbst.xyz/catalog/sealed-secrets/kustomization"
version = "0.18.0-kbst.0"
configuration = {
apps = {
namespace = var.example_sealed_secrets_namespace
}
ops = {}
loc = {}
}
}

Full documentation how to customize a module's Kubernetes resources is available in the cluster service module configuration section of the framework documentation.