How to Use Sealed Secrets in Kubernetes
When using Kubernetes, I have experienced that I can manage and host all the Kubernetes config files except secrets in code hosting platforms like GitHub. It would be much easier to manage the entire K8s configuration if secrets also can be put into those repositories. But how can a secret reside in a public place? When searching a bit on that, I got to know about sealed secrets [1], still secret but sealed, hence can be put publicly.
First thing to do when using sealed secrets is, install the sealed secret controller within the cluster. This can be done using the sealed-secret-controller helm chart.
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secretshelm repo updatehelm install sealed-secrets-controller --namespace kube-system --version 1.16.1 sealed-secrets/sealed-secrets
Here we can use a namespace of our preference. But if we are using a namespace other than kube-system we have to pass it as an argument explicitly when executing kubeseal commands.
Then we have to install the kubeseal client in our machine (the machine from where we execute kubectl commands).
In my Ubuntu machine, I have used the following commands to install the kubeseal client,
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.16.0/kubeseal-linux-amd64 -O /usr/local/bin/kubesealchmod 755 /usr/local/bin/kubeseal
In MacOS environments it can be easily installed by using HomeBrew,
brew install kubesealNow we have installed both cluster-side and client-side utilities which need to create sealed secrets. Then we can move into the sealed secret creation.
First, we have to include our secrets as key-value pairs in a text file. Below is the content of password.txt file I’m using in this demo.
MYSQL_PASSWORD=test_passwordThen the following command needs to be executed to generate the sealed secret configuration file. (If we want to use a certificate as a secret, we can replace the password.txt file from the required .crt file as the value of — from-file argument). Here we are sealing a secret named secret-sql-password
kubectl create secret generic secret-sql-password -n test --from-file=password.txt --dry-run=client -o yaml | kubeseal -o yaml > secret-sql-password.yamlThe generated sealed secret YAML file as follows.
Here we can see that our password is encoded within the file. Only the sealed-secret-controller within the cluster can decode the value. So we can commit this file into our Github private/public repository. Applying this configuration file will generate the corresponding secret within the cluster.
Let’s deploy the generated YAML file using kubectl.
kubectl apply -f secret-sql-password.yamlWhen listing the secret in the test namespace, we can see the secret we sealed is listed as below.
Then we can use this secret within pods as same as we use directly generated secrets.
The password I used above is the password of my demo MySQL server. So as an example, I will show how I can log into my MySQL server from a pod using the created secret. Below is the Kubernetes Job I have created for this. It will log into the MySQL server and show the databases within the server.
After the job is successfully deployed, logs of the pod show the databases within the MySQL server as expected.
That’s all from my end :). You can know more about sealed secrets in here.
In my next article I will show how we can manage Kubernetes secrets in AKS clusters using CSI drivers and Azure key Vaults. Until then, GOOD BYE !!!
References
