Secrets management in Kubernetes using Sealed Secrets:
Kubernetes has gained its popularity due to its core nature of running an immutable infrastructure, where the pods, containers can be destroyed, and replaced automatically. This helps to ease out the deployment friction as you declaratively describe the resources in a manifest file.
Kubernetes manifest files can be stored in a source code repository like GitHub and the Kubernetes operations can be managed easily using the GitOps methodology. However, one of the biggest challenges in Kubernetes is the secure storage and rotation of credentials / secrets such us passwords, keys, and certificates. While Kubernetes offers basic secrets management capabilities, it doesn’t help secure secrets needed both inside and outside of Kubernetes.
Here we discuss one of the ways to address this issue using “sealed secret”:
Sealed Secrets:
When looking at optimising the infrastructure costs, enterprises consider various cost-management best practices, but Kubernetes require a specialised a
Sealed Secrets is a Kubernetes object, which helps to store the encrypted Kubernetes secrets in a version control.It consists 2 main components.
- Sealed Secret Controller (At Server Side)
- Kubeseal Utility (At Client Side)
- First step is to use sealed secrets is, install the sealed secret controller in the target cluster using the sealed-secret-controller helm chart.
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm repo update
helm install sealed-secrets-controller –namespace kube-system –version 2.13 sealed-secrets/sealed-secrets
- Install the kubeseal client in our machine
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.17.3/kubeseal-linux-amd64 -O /usr/local/bin/kubeseal
brew install kubeseal or yum install kubeseal
- Create and encrypt the secrets using the kubeseal
kubectl create secret generic db-password -n test –from-file=dbpassword.txt –dry-run=client -o yaml | kubeseal -o yaml > db-password.yaml
The output of the above command is
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: secret-sql-password
namespace: test
spec:
encryptedData:
DB_PASSWORD: GBbjeKXfPSjqlTpXSxJWwFWd1Ag/6T6RS1b6lylLPDfFy4Xvk0YS+Ou6rED1FxE1ShhziLE8a7am0fbiA2YuJMSCMLAqc2VYcU3p3LS0QKXdWKelao7h5kLwue7rEnCnuKLSZXHuU6DV/yCBYIcCCz88dBmzE8ga1TARLsFRrZmq2EWgU/ON57tIexCEAyztWreJi1Qnf0uJZE56Zg3x1Fj7MJ4Z06pcSSAwY2v0yZ8UNo1qzdmTfkOg0sMXdaFwF9Nga83MPeXfyKdfiH6kAW+LjUbpWi4JHEK7elZswRCBtU6caKt2sxfmue38UbQw8AXL5TmECqwttuKADWictIfWWhCYnyaO7DQm7+a2kfKUaUHZlw8X3vJtoiXAO/cEFJv2+X29gmwvX24gixgD6yrnxpA+GBbjeKXfPSjqlTpXSxJWwFWd1+H1Fb4FWVs6m1PxehsrHDbVTk8kGVXDzV1KK9EjF+CIxQPhGEQTUVq4qMmLAnPKw8HQYmh73v1K/a2kfKUaUHZlw8X3vJtoiXAO/cEFJv2+X29gm
template:
data: null
metadata:
creationTimestamp: null
name: db-password
namespace: test
In the above manifest file, we can see that our database password is encrypted. Only the sealed-secret-controller within the cluster can decrypt the value. Hence these can be safely stored in a version control.
TL Consulting
TLConsulting brings its consulting and engineering personnel to application modernisation adoption and implementation by providing range of services – as If you need assistance with your Containers/Kubernetes adoption, please contact us at our kubernetes consulting services page.
