How to manage all my K8s secrets in git securely with Bitnami Sealed Secrets

Introduction

What is Bitnami Sealed Secrets ?

Diagram of how Bitnami Sealed Secrets works.
  • namespace-wide: this mode allows to change the name of the secret after its creating without ending in a decryption error, as the name is not part of the encryption process.
  • cluster-wide: in this mode neither the name nor the namespace are taken into account when encrypting the secret, this way the secret can be unsealed in any namespace of the cluster and given any name.
  • In the CLI tool using scope flag.
  • In the original secret with a annotation:

Installation

  • A Kubernetes cluster. You can use a cloud one or a local distribution like k3s, rancher or Docker desktop.
  • 10 minutes at the most.
Kubernetes objects created for the Bitnami Sealed Secrets controller.
Controller pod and initial logs.
  • It search for the private key and finds it in a secret. For security reasons, you could rotate this private key after a period of time without having to reinstall all again the controller.
  • The public certificate is directly shown in the logs, so you could retrieve it from there and use it with the kubeseal tool offline or in a automation workflow.
  • The controller is serving on the port 8080.

Creating a secure secret

Logs after creating a SealedSecret by the user and then a regular secret by the controller.
Regular secret created by the controller.

Monitoring

Bitnami Sealed Secrets controller metrics endpoint on Prometheus targets.
Importing the dashboard in JSON format.
Dashboard example.

Conclusions

  • This tool only helps to store the secret securely in the Git repository, but once it is deployed to the Kubernetes cluster the secret will be in plain text encoded in base 64.
  • The Sealed Secrets stored in the repository are only usable for the cluster they were originally targeted for in the moment of their creation. This is because the sealed secrets are created using the public key of the controller installed on the targeted cluster.
  • It can be helpful to generate automatically the secrets and convert them into sealed secrets ready to be stored in a repository.
  • Installing the controller in a shared cluster may be a bit problematic due to the ClusterRole permissions needed. A customize installation would be needed in this case if the cluster admin does not want to install it at a cluster scope.

--

--

--

DevOps Engineer learning new staff, doing sometimes some backend and occasionally trying frontend.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Docker Fundamentals — about containers

Benefits of the Crodo Platform

CS373 Blog: Week 7

How to connect MongoDB with Flask using Pymongo

because they have had time to soak up more knowledge Being great at something is a daily habit.

Improving Redshift Performance with Intermix

How to make a spring boot microservice AWS ready

Galaxy Shooter 2D —Firing Laser Cooldown

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Carlos Alcaide

Carlos Alcaide

DevOps Engineer learning new staff, doing sometimes some backend and occasionally trying frontend.

More from Medium

WSL — Kubernetes Service with Session Affinity

Kubernetes security from a Pod PoV

Build and deploy PHP Guestbook application on Local Kubernetes with Skaffold

Play with helm- part 1