Imagine a world where your sensitive Kubernetes secrets are as secure as a vault, yet as easy to manage as a Git commit. Welcome to the realm of Bitnami SealedSecrets, a game-changer for DevOps professionals looking to streamline secrets management while keeping security first. In this blog post, we’ll embark on a journey to explore how SealedSecrets can transform the way you handle secrets in your Kubernetes clusters, including how to deploy it using Helm and manually apply sealed secrets.

Why SealedSecrets? The Quest for Secure Secrets

In the Kubernetes universe, secrets are like the enchanted keys to your kingdom—think API tokens, database credentials, or TLS certificates. Storing them plaintext in Git repositories is akin to leaving your castle gates wide open. Bitnami SealedSecrets comes to the rescue by encrypting these secrets, ensuring they can only be decrypted by the SealedSecrets controller running in your Kubernetes cluster. It’s like sealing a magical scroll that only the chosen one (your cluster) can open.

This approach aligns perfectly with modern DevOps practices, allowing you to store encrypted secrets in your Git repos safely. Ready to wield this power? Let’s dive into the adventure!

Preparing for the Journey: Prerequisites

Before we set sail, let’s gather our tools and provisions:

  • A Kubernetes cluster ready to receive your secrets.

  • kubectl access to all target clusters from your local machine—your trusty command-line wand.

  • Helm installed on your local machine to deploy SealedSecrets. Install it via Homebrew on macOS:

    1

    brew install helm

  • kubectx (optional but highly recommended): This handy tool lets you switch between cluster contexts with a flick of the wrist. Install it on macOS with:

    1

    brew install kubectx

  • kubeseal CLI: The magical quill that encrypts your secrets. Install it on macOS with:

    1

    brew install kubeseal

    For Linux or Windows, grab the binary from the GitHub releases page.

With your gear in hand, let’s start by setting up SealedSecrets in your cluster!

Setting Up the Kingdom: Deploying Bitnami SealedSecrets with Helm

Before we can seal secrets, we need to install the SealedSecrets controller in our Kubernetes cluster. Using Helm, this process is as smooth as casting a well-practiced spell. Follow these steps:

  1. Add the Bitnami Helm Repository: Add the Bitnami charts repository to your Helm configuration to access the SealedSecrets chart:

    1
2

    helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update

  2. Install the SealedSecrets Chart: Deploy the SealedSecrets controller to the sealed-secrets namespace. Run the following command:

    1

    helm install sealed-secrets bitnami/sealed-secrets \  --namespace sealed-secrets \  --create-namespace
    • sealed-secrets: The release name for the Helm deployment.
    • –namespace sealed-secrets: Ensures the controller runs in its own namespace.
    • –create-namespace: Creates the sealed-secrets namespace if it doesn’t exist.

  3. Verify the Installation: Check that the SealedSecrets controller is running:

    1

    kubectl get pods -n sealed-secrets

    You should see a pod named something like sealed-secrets-sealed-secrets-xxx in the Running state.

  4. Backup the Encryption Key (Optional but Recommended): The SealedSecrets controller generates a public/private key pair for encryption. If the controller is reinstalled, you’ll need the private key to decrypt existing secrets. Export the key for safekeeping:

    1

    kubectl get secret -n sealed-secrets -l sealedsecrets.bitnami.com/sealed-secrets-key=active -o yaml > sealed-secrets-key.yaml

    Store this file securely outside your cluster, as it’s critical for disaster recovery.

With the SealedSecrets controller installed, your cluster is now ready to handle encrypted secrets. Let’s move on to creating and managing them!

Crafting Your First SealedSecret: A Step-by-Step Adventure

Step 1: Conjuring a Kubernetes Secret

Every great spell begins with a recipe. In this case, we’ll create a Kubernetes Secret in a YAML file. Think of this as writing the incantation for your secret.

To create a secret with key-value pairs, use this command:

1
2
3
4
5

kubectl create secret generic my-secret \
--from-literal=username=admin \
--from-literal=password=supersecret \
-n my-namespace \
-o yaml --dry-run=client > k8s-secret.yaml

Alternatively, if your secrets are stored in files (like a wizard’s ancient tomes), use:

1
2
3
4
5

kubectl create secret generic my-secret \
--from-file=username=/path/to/username.txt \
--from-file=password=/path/to/password.txt \
-n my-namespace \
-o yaml --dry-run=client > k8s-secret.yaml
  • my-secret: The name of your secret, like the title of a spell.
  • my-namespace: The namespace where it will reside.
  • username, password: The keys and their values or file references.

This command generates a k8s-secret.yaml file, ready for the next step in our ritual.

Step 2: Sealing the Secret with kubeseal

Now, it’s time to cast the encryption spell using the kubeseal CLI. This transforms your plain Kubernetes Secret into a SealedSecret, locked tight for safe storage.

  1. Switch to the target cluster’s context using kubectx (if installed):

    1

    kubectl ctx my-cluster

  2. Seal the secret with this command:

    1
2
3

    kubeseal -o yaml \
--controller-name sealed-secrets \
--controller-namespace sealed-secrets < k8s-secret.yaml > sealedsecret.yaml

The result? A sealedsecret.yaml file that’s encrypted and ready to be stored in your Git repository. Only the SealedSecrets controller in your cluster can decrypt it—talk about a magical lock!

Step 3: Manually Deploying the SealedSecret

With our SealedSecret crafted, it’s time to deliver it to the kingdom (your Kubernetes cluster) by manually applying it using kubectl. Here’s how:

  1. Store the SealedSecret in Your Git Repository:

    • Create a directory in your Git repository (e.g., secrets/) to organize your SealedSecrets.

    • Move the sealedsecret.yaml file to this directory, renaming it for clarity, such as my-secret-my-namespace.yaml.

    • Commit and push the file to your repository for version control:

      1
2
3

      git add secrets/my-secret-my-namespace.yaml
git commit -m "Add sealed secret for my-namespace"
git push origin main

  2. Apply the SealedSecret to the Cluster:

    • Ensure you’re in the correct cluster context (use kubectl ctx my-cluster if using kubectx).

    • Apply the SealedSecret to your Kubernetes cluster:

      1

      kubectl apply -f secrets/my-secret-my-namespace.yaml

  3. Verify the Deployment:

    • Check that the SealedSecret has been created:

      1

      kubectl get sealedsecrets -n my-namespace

    • Verify that the corresponding Kubernetes Secret has been created by the SealedSecrets controller:

      1

      kubectl get secret my-secret -n my-namespace

    • The secret should now be available for your applications to use.

The Magic of SealedSecrets in Action

Picture this: Your team is deploying a new microservice that needs database credentials. With the SealedSecrets controller installed via Helm, you follow the SealedSecrets workflow. You create a secret, seal it with kubeseal, store it in your Git repo, and manually apply it to the cluster. The encrypted secrets live safely in your repository, version-controlled and auditable, while the SealedSecrets controller ensures only the intended cluster can access them. It’s secure, straightforward, and oh-so-satisfying.

Tips for a Smooth Adventure

  • Organize your secrets: Use meaningful names for secrets and namespaces to avoid confusion in large clusters.
  • Leverage kubectx: Switching between clusters is a breeze with kubectl ctx, saving you time and headaches.
  • Test locally: Before applying, use kubeseal with -dry-run to verify your SealedSecret without modifying the cluster.
  • Secure the encryption key: Always back up the SealedSecrets key and store it in a safe location to avoid losing access to your secrets.
  • Validate deployments: After applying a SealedSecret, check both the SealedSecret and the resulting Secret to ensure everything is working as expected.

Conclusion: Embrace the Power of SealedSecrets

Bitnami SealedSecrets, deployed effortlessly with Helm and applied with kubectl, brings a touch of magic to the often daunting task of secrets management. By combining encryption and Kubernetes, it empowers you to store sensitive data securely while maintaining the agility of modern DevOps workflows. Whether you’re a seasoned Kubernetes wizard or a curious apprentice, SealedSecrets is a tool worth adding to your spellbook.

So, what are you waiting for? Fire up Helm, install the SealedSecrets controller, grab your kubeseal CLI, and start sealing and deploying those secrets. The kingdom of secure secrets management awaits!