Bitnami Sealed Secret in Kubernetes || Hands-on Tutorial

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello guys so this is going to be a super quick video on what are sealed secrets why do we need to use them and how exactly to create a new sealed secret so let's get started so seal secrets is a kubernetes resource which looks something like this so the kind is a sealed secret and we have encrypted data which is a secret this is the key and this is the encrypted value right so let's see why do we need this sealed secret so the best thing about kubernetes is that we could create kubernetes objects we could create update and delete them declaratively that is just by adding k8s manifest files and then we could use cube curl apply and those changes and all would be applied to kubernetes so having all of these objects and resources declaratively has has a lot of benefits that is like if a new member is joining in they could clearly see that what all manifest files and what all objects does the kubernetes cluster has and they could also see the git history or the version control history to see why those objects were changed over the time so the non-sensitive information could just go into config maps and the sensitive information we put them as secrets so by default kubernetes would just ask us to base64 encode them but there is no encryption or no security added on top of the secrets right so for us if we check those values in into git repository anybody could see those values right and they would be already shared with all the developers not so we want a safe way to be able to use the secrets declaratively that means have them checked in into our git repository and also we want a safe way so that even if those keys are shared with anyone nobody could get the actual decrypted value of that secret so this is exactly what seal secrets help us with so if you're creating a secret if we see here we give the name space and all and this is we say that this is the key and this is the value the value we provide is a base 64 encode value it is i'm just showing the normal value which is not b64 encoded but this is how you declare kubernetes secret so anybody could base64 decode decoded and have a look at the value but if you're using sealed secrets in case of sealed secrets like the value which we have is encrypted value so nobody like even if this value is shared it nobody could decrypt it only the cluster is allowed to decrypt it so cl secrets use asymmetric encryption to achieve this so if you look at asymmetric encryption so the way asymmetric encryption works is so we have a set of two keys one is a public key and a private key so they are related they relate to one another it's just not any random value which we can take so they both are related keys so whoever is the owner or who who has to have the data they would give the public key to the sender so the sender would use the public key to encrypt the plain data when they encrypt the plain data using the public key and encrypted data is created here so this encrypted data could be decrypted only using the private key so only the member who has the private key only they can decrypt it so in case of sales secrets this private key is only present in the cluster nobody has access to it so seal secrets have two prime components to it one is a client which uses a normal secret and then uses the public key it gets the public key from the cluster and encrypts it and this is where we get the sealed secret manifest file and then the other component is the controller which runs within the cluster so it sees this encrypted data and then uses the private key which is present in the cluster to decrypt it and here is the decrypted value as i said if we look at the releases the release notes so seal secrets has two major components one is the cube seal which is a client side which gets the public key from the cluster and encrypts it and the other is the controller which runs on the server side so we could get the latest releases and all from here so i'm going to install it so the way to install is you just say brew install cube seal so this you could brew install this works on the mac so i already have it i will say that it is already installed so if we see the message here it already says that it is installed and now to install the server side component within the cluster we have to apply and this is where the controller is so let me install the controller as well so it is already installed but i'll show you you just have to run cubecuttleapply so for me since it's already there it says everything is unchanged so this controller part is all like this is this manifest is all what is needed in order to be able to use sealed secrets so we have the client side part which is the cube seal and we have the server side which is the and the cluster part which is the sealed secrets controller both there now so we are ready to create and convert our secrets into sealed secrets now so if you look at our cluster right now i'm in the jomo namespace i'm gonna refresh it just to make sure that we see the latest stuff so in the secrets we don't see any secret here right we just see like a default token secret but i'll create a new secret with the name jomo secret and we'll see that will show up here and that would be applied through a sealed secret so i have these commands handy with me right so here like first i'll show you that how exactly can we create a generic secret using cube cuttle so we say cube cuddle give the name space say create secret generic pass the name and we say from literal we pass the key and the value and then we just want to say that we want to all put a json so let's try to execute it so i have a make command which makes it easy for me to execute these so right now it basically what it does is it encrypts the value which is the secret value into it not encrypts but base64 encodes it and this is the value which we get after base64 encoding if you're liking the video so far please give me a thumbs up and subscribe to my channel because it motivates me to make more such videos so we can also check this so i have this online base64 encoder so i have add this value and if a base64 encoded we get this value this is exactly same as the one which we see here right exactly same so this is how a secret would look like in a json format so what we need to do is to create a secret we need to just pipe it right so so this command remains the same like dry run and all and then to create a secret we say cube seal output is a yaml format and then we say just put it in a file and we give the file name so let's try to create this again i'll use my make command which is it makes it easy for me so this created a sealed secret file let's see so we have the sealed secret file should create that secret key right as as the key because i had the key which is secret key now i am not able to decode this value i don't know what this value would be right like even if we check this and it is all safe only the person who has the private key would be able to decode it right and we'll see we'll apply this so maybe you already have a file and you want to add multiple keys to it so the way to do that would be using merge so what you do is you say cube seal output if you're doing it in the yaml format and then you can say that you want to merge into the same file right so again i'll use a make command so the make command uh i give the same value but i'll like i give the same file which is the sealed secret.yaml but what i'll do is i'll give another key which is another secret key and the value would be another secret value so currently the key is secret key and the value was secret value this is the encrypted value so let's try to merge another value there so here we see that cubeseal makes it easy for us to add another key so this is another secret key that has been created another value is already encoded now so let's try to apply it so after we apply it we could go to a cluster so we see this domo secret showing up now and if we click on the secret we see both the values so this is secret value and the key like and for another secret key we had the value as another secret value so again if we just compare these values with the commands we executed so here we had like the name was jomo's secret which is what we get so the key was secret key and the value was secret value and for the another one when we were merging again we added it to the same secret we added like the name was jumo's secret and the key was another secret key and the value was another secret value so i hope this video makes it clear for you that what exactly are sealed secrets why do we use them and how exactly to create a new sealed secret so if you like this video please give me a thumbs up and subscribe to my channel because it motivates me to make more such videos

Info

Channel: JOMO Developer

Views: 439

Rating: undefined out of 5

Keywords: kubernetes tutorial, kubernetes explained, kubernetes sealed secrets, kubernetes sealed secrets vs vault, bitnami sealed secrets, bitnami secrets, sealed secrets, sealed secrets kubernetes

Id: rnPqKOF05Mk

Channel Id: undefined

Length: 9min 48sec (588 seconds)

Published: Sat Jul 31 2021