In the realm of Kubernetes, managing secrets securely is paramount. Sealed Secrets offer a robust solution, enabling Kubernetes users to encrypt secrets and store them safely within Git repositories. This article delves deep into the practical aspects of implementing Sealed Secrets in Kubernetes, providing a step-by-step guide to ensure your secrets remain sealed.
Setting the Stage: Pre-requisites
Before diving into the intricacies of Sealed Secrets, ensure you have:
- A
controlplanewith access to a Kubernetes cluster. - The
kubesealCLI tool installed. This tool facilitates the sealing of secrets using the controller's public key and subsequently creates a Custom Resource Definition (CRD) for the sealed secret.
Installing Kubeseal
To get started with kubeseal, follow these steps:
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.2/kubeseal-0.19.2-linux-amd64.tar.gz
tar -xvzf kubeseal-0.19.2-linux-amd64.tar.gz
install -m 755 kubeseal /usr/local/bin/kubesealDeploying the Sealed Secret Controller
The Sealed Secret Controller plays a pivotal role by generating a key pair, which includes both a private and a public key. These keys are essential for encrypting and decrypting secrets.
Deploy the controller with:
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.2/controller.yamlVerifying the Controller’s Logs
The controller actively searches for a secret labeled sealedsecrets.bitnami.com/sealed-secrets-key within its namespace. If it doesn't find one, it creates a new secret in its namespace and outputs the public key portion of the key pair.
Inspecting the Secret
To view the secret created by the controller, which holds the private key, use:
kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yamlThis command reveals both tls.crt and tls.key.
Crafting and Sealing the Secret
Begin by creating a secret.yaml:
apiVersion: v1
kind: Secret
metadata:
name: sealed-secret
namespace: test
data:
DB_PASSWORD: ZGJwYXNzCg==Seal the secret using kubeseal:
cat secret.yaml | kubeseal \
--controller-namespace kube-system \
--controller-name sealed-secrets-controller \
--format yaml \
> sealed-secret.yamlApply the sealed secret:
kubectl create ns test
kubectl apply -f sealed-secret.yamlValidating the Sealed Secret
To confirm the creation of the sealed secret:
kubectl get sealedsecret -n test -o yamlTo verify if the secret has been created:
kubectl get secret sealed-secret -n test -o yamlDisaster Recovery: Safeguarding Sealed Secrets
Without the controller's private key, decrypting the data within a SealedSecret is impossible. Therefore, it's crucial to backup the private key:
kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > master.yamlIn case of emergencies, delete the secret and sealed secret:
kubectl delete secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key
kubectl delete -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.2/controller.yamlReapply the secret containing the private key and redeploy the controller:
kubectl apply -f master.yaml
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.2/controller.yamlUpon checking the controller's logs, it will retrieve the existing secret before attempting to generate a new key pair. If the key pair is found, a new one won't be created.
Conclusion
Sealed Secrets in Kubernetes are a game-changer, offering a secure way to manage secrets. By following this comprehensive guide, you can ensure your secrets remain sealed, safeguarded, and accessible only when necessary.
FAQs
1. What are Sealed Secrets in Kubernetes? Sealed Secrets are a secure way to encrypt secrets and store them within Git repositories in Kubernetes.
2. How does the Sealed Secret Controller function? The Sealed Secret Controller generates a key pair, which includes a private and a public key, essential for encrypting and decrypting secrets.
3. How can I backup the private key for Sealed Secrets? Use the kubectl get secret command to create a backup of the private key and store it in a master.yaml file.
