Sealed Secrets

Sealed Secrets
Terraform module for Kubernetes platforms

Sealed Secrets is a way to safely store encrypted secrets inside Git repositories that can only be decrypted by the controller running in the target cluster. The controller will transparently convert sealed secrets into regular Kubernetes secrets for workloads to consume.

This Terraform module helps platform engineering teams provision Sealed Secrets on Kubernetes. It fully integrates the upstream Kubernetes resources into the Terraform plan/apply lifecycle and allows configuring Sealed Secrets using native Terraform syntax.

The Sealed Secrets module is continuously updated and tested when new upstream versions are released.

Build status for sealed-secrets-v0.26.3-kbst.0

TL;DR:

  • Use kbst add service sealed-secrets to add Sealed Secrets to your platform
  • The kbst CLI scaffolds the Terraform module boilerplate for you
  • Kubestack platform service modules bundle upstream manifests and are fully customizable

Use the module

The kbst CLI helps you scaffold the Terraform code to provision Sealed Secrets on your platform. It takes care of calling the module once per cluster, and sets the correct source and latest version for the module. And it also makes sure the module's configuration and configuration_base_key match your platform.

# add Sealed Secrets service to all platform clusters
kbst add service sealed-secrets
# or optionally only add Sealed Secrets to a single cluster
# 1. list existing platform modules
kbst list
aks_gc0_westeurope
eks_gc0_eu-west-1
gke_gc0_europe-west1
# 2. add Sealed Secrets to a single cluster
kbst add service sealed-secrets --cluster-name aks_gc0_westeurope

Scaffolding the boilerplate is convenient, but platform service modules are fully documented, standard Terraform modules. They can also be used standalone without the Kubestack framework.

Customize resources

All Kubestack platform service modules support the same module attributes and configuration as all Kubestack modules. The module configuration is a Kustomization set in the per environment configuration map following Kubestack's inheritance model.

The example below shows some options to customize the resources provisioned by the Sealed Secrets module.

module "example_sealed_secrets" {
providers = {
kustomization = kustomization.example
}
source = "kbst.xyz/catalog/sealed-secrets/kustomization"
version = "0.26.3-kbst.0"
configuration = {
apps = {
+ # change the namespace of all resources
+ namespace = var.example_sealed_secrets_namespace
+
+ # or add an annotation
+ common_annotations = {
+ "terraform-workspace" = terraform.workspace
+ }
+
+ # use images to pull from an internal proxy
+ # and avoid being rate limited
+ images = [{
+ # refers to the 'pod.spec.container.name' to modify the 'image' attribute of
+ name = "container-name"
+
+ # customize the 'registry/name' part of the image
+ new_name = "reg.example.com/nginx"
+ }]
}
ops = {
+ # scale down replicas in ops
+ replicas = [{
+ # refers to the 'metadata.name' of the resource to scale
+ name = "example"
+
+ # sets the desired number of replicas
+ count = 1
+ }]
}
}
}

In addition to the example attributes shown above, modules also support secret_generator, config_map_generator, patches and many other Kustomization attributes.

Full documentation how to customize a module's Kubernetes resources is available in the platform service module configuration section of the framework documentation.