Simplifying Kubernetes Secret Management with Sealed Secrets: A Comprehensive Guide
BalajiTable of contents
- Introduction:
- Pros and Cons of Sealed Secrets:
- Prerequisites:
- Installation of Sealed Secrets:
- Installing the kubeseal Client:
- Installing the Custom Controller and CRD for SealedSecret:
- Creating a Sealed Secret:
- Applying a Sealed Secret:
- Managing Sealed Secrets:
- Retrieve the public key certificate using kubeseal:
- Encrypt existing secrets and apply them to the cluster:
- Update deployments to use sealed secrets:
- Updating a Sealed Secret:
- Deleting a Sealed Secret:
- Verify the Sealed Secret:
- Conclusion:
Introduction:
In the world of Kubernetes, safeguarding sensitive information during application deployment is of utmost importance. Kubernetes provides the Secret resource for storing sensitive data, but ensuring its encryption and security is crucial. Sealed Secrets, a powerful Kubernetes controller and tool, has emerged as a solution to streamline the secure storage and deployment of encrypted secrets.
Pros and Cons of Sealed Secrets:
Pros:
Enhanced Security: Sealed Secrets encrypts and secures sensitive data, providing an additional layer of protection against unauthorized access.
Simplified Management: The tool simplifies the process of managing and deploying encrypted secrets, making it more accessible for users.
Version Control: Sealed Secrets facilitates version control of encrypted secrets, improving traceability and aiding in auditing processes.
Cons:
Additional Complexity: Introducing an extra layer of complexity to secret management might be challenging for some users, especially those new to Kubernetes.
Learning Curve: Users may require time to understand and adapt to the Sealed Secrets workflow, potentially causing a learning curve for some teams.
Prerequisites:
Before diving into Sealed Secrets, ensure you have the following:
A running Kubernetes cluster.
Local installation of kubectl, the Kubernetes command-line tool.
Helm, the Kubernetes package manager. Install it following the provided instructions.
Installation of Sealed Secrets:
The recommended installation method for Sealed Secrets is using Helm. Follow these simplified steps:
Step 1: Add the Sealed Secrets Helm repository
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
Step 2: Install Sealed Secrets into your cluster
helm install sealed-secrets sealed-secrets/sealed-secrets
This deploys the Sealed Secrets controller in your cluster, enabling you to create Sealed Secrets.
Installing the kubeseal Client:
For Linux x86_64 systems:
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/kubeseal-0.18.0-linux-amd64.tar.gz
tar xfz kubeseal-0.18.0-linux-amd64.tar.gz
sudo install -m 755 kubeseal /usr/local/bin/kubeseal
For MacOS systems:
brew install kubeseal
Installing the Custom Controller and CRD for SealedSecret:
Install the SealedSecret CRD, controller, and RBAC artifacts on your EKS cluster:
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/controller.yaml
kubectl apply -f controller.yaml
Check the controller pod status:
kubectl get pods -n kube-system | grep sealed-secrets-controller
Basic Usage:
Creating a Sealed Secret:
Create a Kubernetes Secret (my-secret.yaml):
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
username: <base64-encoded-username>
password: <base64-encoded-password>
Seal the Secret:
kubectl apply -f my-secret.yaml
Applying a Sealed Secret:
When deploying a pod that needs access to the secret (deployment.yaml):
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 1
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-container
image: my-image
envFrom:
- secretRef:
name: my-secret
Managing Sealed Secrets:
Retrieve the public key certificate using kubeseal:
kubeseal --fetch-cert > public-key-cert.pem
Encrypt existing secrets and apply them to the cluster:
kubectl get secret your-secret-name -o yaml | kubeseal --cert sealed-secrets-cert.pem > sealed-your-secret-name.yaml
kubectl apply -f sealed-your-secret-name.yaml
Update deployments to use sealed secrets:
envFrom:
- secretRef:
name: sealed-your-secret-name
Updating a Sealed Secret:
Update the original Secret and seal it:
kubectl apply -f my-updated-secret.yaml
Deleting a Sealed Secret:
kubectl delete sealedsecret my-secret
This deletes both the Sealed Secret and its decrypted representation.
Verify the Sealed Secret:
kubectl get sealedsecrets
kubectl get secrets
Conclusion:
Sealed Secrets simplifies sensitive data management in Kubernetes by providing an encrypted layer for secrets. With secure storage and deployment capabilities, Sealed Secrets enhances the security of your Kubernetes applications. While it introduces some complexity, the benefits in terms of enhanced security and simplified management outweigh the learning curve for many users.
Subscribe to my newsletter
Read articles from Balaji directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Balaji
Balaji
đ Hi there! I'm Balaji S, a passionate technologist with a focus on AWS, Linux, DevOps, and Kubernetes. đź As an experienced DevOps engineer, I specialize in designing, implementing, and optimizing cloud infrastructure on AWS. I have a deep understanding of various AWS services like EC2, S3, RDS, Lambda, and more, and I leverage my expertise to architect scalable and secure solutions. đ§ With a strong background in Linux systems administration, I'm well-versed in managing and troubleshooting Linux-based environments. I enjoy working with open-source technologies and have a knack for maximizing performance and stability in Linux systems. âď¸ DevOps is my passion, and I thrive in bridging the gap between development and operations teams. I automate processes, streamline CI/CD pipelines, and implement robust monitoring and logging solutions to ensure continuous delivery and high availability of applications. â¸ď¸ Kubernetes is a key part of my toolkit, and I have hands-on experience in deploying and managing containerized applications in Kubernetes clusters. I'm skilled in creating Helm charts, optimizing resource utilization, and implementing effective scaling strategies for microservices architectures. đ On Hashnode, I share my insights, best practices, and tutorials on topics related to AWS, Linux, DevOps, and Kubernetes. Join me on my journey as we explore the latest trends and advancements in cloud-native technologies. ⨠Let's connect and dive into the world of AWS, Linux, DevOps, and Kubernetes together!