Skip to main content

Sealed Secrets

Sealed Secrets is a tool for Kubernetes designed to encrypt sensitive data, ensuring it remains secure even when stored in public repositories. This is particularly crucial in GitOps environments, where configuration is managed as code. With sealed secrets the full configuration of applications and other infrastructure can be pushed to git including the secrets for this configuration. Therefore the Rocket Pad Platform can be bootstrapped completely from Git Repositories without adding secrets manually or manage an external secrets store.

The core concept is simple: sensitive information, typically stored in Kubernetes Secrets, is encrypted into a Sealed Secret using asymmetric cryptography. This Sealed Secret can be safely committed to a Git repository without exposing the underlying secret. Only the Sealed Secrets controller, running within the Kubernetes cluster and possessing the private decryption key, can decrypt these Sealed Secrets. This one-way encryption mechanism guarantees that the original secret remains confidential, even if the Sealed Secret is compromised.

The Sealed Secrets controller operates as a Kubernetes controller, continuously- monitoring for new or updated Sealed Secrets. Upon detecting such changes, the controller decrypts the Sealed Secret and creates the corresponding Kubernetes Secret. This process is transparent to application workloads, allowing them to access secrets without any modifications.

By adopting Sealed Secrets, organizations can confidently manage their Kubernetes secrets in a GitOps environment without compromising security. It offers a practical solution to the persistent challenge of safeguarding sensitive data while embracing the benefits of GitOps for infrastructure management.

warning

Proper management of the private key is crucial. Consider using Kubernetes Secrets to store the private key securely.

What does the module provide?

This module will allow you to bootstrap a Rocket Pad Platform with the Sealed Secrets controller installed as well as configure the Sealed Secrets installation.

Installation

The Sealed Secrets module can be installed as described in the general Rocket Pad Platform module installation guide. The bootstrapping can be done without any configuration provided. The default values are enough to install a generic Sealed Secrets setup.

If nothing else is configured the sealed secrets controller will generate a private key automatically. With configuration inside the bootstrap/config.libsonnet file an existing private key can be used to bootstrap the sealed secrets installation.

In order to set a custom sealed secrets private key the config can be overwritten as follows:

/config.libsonnet
{
    ...
    sealedSecrets: {
        customCertificate+: {
        enabled: true,
        certificate: |||
            -----BEGIN CERTIFICATE-----
            MIICMzCCAZygAwIBAgIJALiPnVsvq8dsMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNV
            BAYTAlVTMQwwCgYDVQQIEwNmb28xDDAKBgNVBAcTA2ZvbzEMMAoGA1UEChMDZm9v
            MQwwCgYDVQQLEwNmb28xDDAKBgNVBAMTA2ZvbzAeFw0xMzAzMTkxNTQwMTlaFw0x
            ODAzMTgxNTQwMTlaMFMxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNmb28xDDAKBgNV
            BAcTA2ZvbzEMMAoGA1UEChMDZm9vMQwwCgYDVQQLEwNmb28xDDAKBgNVBAMTA2Zv
            bzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzdGfxi9CNbMf1UUcvDQh7MYB
            OveIHyc0E0KIbhjK5FkCBU4CiZrbfHagaW7ZEcN0tt3EvpbOMxxc/ZQU2WN/s/wP
            xph0pSfsfFsTKM4RhTWD2v4fgk+xZiKd1p0+L4hTtpwnEw0uXRVd0ki6muwV5y/P
            +5FHUeldq+pgTcgzuK8CAwEAAaMPMA0wCwYDVR0PBAQDAgLkMA0GCSqGSIb3DQEB
            BQUAA4GBAJiDAAtY0mQQeuxWdzLRzXmjvdSuL9GoyT3BF/jSnpxz5/58dba8pWen
            v3pj4P3w5DoOso0rzkZy2jEsEitlVM2mLSbQpMM+MUVQCQoiG6W9xuCFuxSrwPIS
            pAqEAuV4DNoxQKKWmhVv+J0ptMWD25Pnpxeq5sXzghfJnslJlQND
            -----END CERTIFICATE-----
        |||,
        key: |||
            -----BEGIN RSA PRIVATE KEY-----
            izfrNTmQLnfsLzi2Wb9xPz2Qj9fQYGgeug3N2MkDuVHwpPcgkhHkJgCQuuvT+qZI
            MbS2U6wTS24SZk5RunJIUkitRKeWWMS28SLGfkDs1bBYlSPa5smAd3/q1OePi4ae
            dU6YgWuDxzBAKEKVSUu6pA2HOdyQ9N4F1dI+F8w9J990zE93EgyNqZFBBa2L70h4
            M7DrB0gJBWMdUMoxGnun5glLiCMo2JrHZ9RkMiallS1sHMhELx2UAlP8I1+0Mav8
            iMlHGyUW8EJy0paVf09MPpceEcVwDBeX0+G4UQlO551GTFtOSRjcD8U+GkCzka9W
            /SFQrSGe3Gh3SDaOw/4JEMAjWPDLiCglwh0rLIO4VwU6AxzTCuCw3d1ZxQsU6VFQ
            PqHA8haOUATZIrp3886PBThVqALBk9p1Nqn51bXLh13Zy9DZIVx4Z5Ioz/EGuzgR
            d68VW5wybLjYE2r6Q9nHpitSZ4ZderwjIZRes67HdxYFw8unm4Wo6kuGnb5jSSag
            vwBxKzAf3Omn+J6IthTJKuDd13rKZGMcRpQQ6VstwihYt1TahQ/qfJUWPjPcU5ML
            9LkgVwA8Ndi1wp1/sEPe+UlL16L6vO9jUHcueWN7+zSUOE/cDSJyMd9x/ZL8QASA
            ETd5dujVIqlINL2vJKr1o4T+i0RsnpfFiqFmBKlFqww/SKzJeChdyEtpa/dJMrt2
            8S86b6zEmkser+SDYgGketS2DZ4hB+vh2ujSXmS8Gkwrn+BfHMzkbtio8lWbGw0l
            eM1tfdFZ6wMTLkxRhBkBK4JiMiUMvpERyPib6a2L6iXTfH+3RUDS6A==
            -----END RSA PRIVATE KEY-----
        |||,
        }
    }
    ...
}
note

We recommend to export the Sealed Secrets private key after installation and add it to the bootstrap configuration to allow for automated disaster recovery. Use the dynamic config or another way to inject the key into the config without publishing it to Git!

Usage

After Sealed Secrets is successfully installed and a private key is either generated or imported a new Kubernetes Custom Resource Definition (CRD) can be used. The CRD is the SealedSecret. When creating a SealedSecret Object in Kubernetes the Sealed Secrets controller will pick it up decrypt it and create a Kubernetes secret object from it, that can be used as any other secret within Kubernetes.

SealedSecret CRDs can be created with a CLI tool named kubeseal. Refer to the official documentation on how to install it. On linux it can be downloaded directly from git and installed. But there are also downloads for package managers like homebrew available. If go is installed it is very easy to install the current kubeseal version into the GO path like this:

go install github.com/bitnami-labs/sealed-secrets/cmd/kubeseal@main

Now with kubeseal installed normal Kubernetes secret yaml files can be created and converted to SealedSecret CRDs with kubeseal.

As an example here is a normal Kubernetes secret with a password value:

secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: secret-ssh-auth
stringData:
    password: password123

The created secret.yaml can now be used with kubeseal to be encrypted and converted into a SealedSecret CRD:

kubeseal -f secret.yaml -w sealed-secret.yaml --format yaml

A new sealed-secret.yaml file will be created. This file can now be applied into the cluster and will be decrypted by the Sealed Secrets controller into a normal Kubernetes secret. The sealed-secret.yaml is now also save to be committed to git or other places normally considered unsafe for secrets to be stored in due to it being unusable without the private key stored inside the cluster.

kubeseal uses string inputs an can therefore be used to seal secrets from a kubectl secrets export command. This allows for an automated migration from already existing Kubernetes secrets in a running cluster to SealedSecrets that can be committed to git for a easier GitOps setup.

Below a sequence diagram can be seen to show how a secret will be sealed committed to git and afterwards picked up by the GitOps tooling of the Rocket Pad Platform including the Sealed Secrets module in order to automatically provide the Kubernetes secret to Kubernetes.