Bitnami Sealed Secrets - How To Store Kubernetes Secrets In Git Repositories

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

FTR: https://github.com/mozilla/sops is an alternative that's also working outside of k8s.

👍︎︎ 19 👤︎︎ u/amorpisseur 📅︎︎ Jan 06 2021 🗫︎ replies

I've been trying this https://akv2k8s.io/ lately. I feel it suits exactly what we need for KaaS offerings and I'm surprised the cloud providers haven't have their own operators for this. We've used Sealed Secrets in the past, but the lack of development at the time forced us to abandon it.

👍︎︎ 2 👤︎︎ u/Rhazes_Darkk 📅︎︎ Jan 07 2021 🗫︎ replies

Thanks

👍︎︎ 1 👤︎︎ u/Kopertin 📅︎︎ Jan 06 2021 🗫︎ replies

Captions

those are secrets i can store everything you get except secrets pure you would get fired probably that would be well awful everything we do is in git what are you doing victor are you using it i mean of course you are using it uh if you're not then you're in a wrong channel you you're probably interested in fashion advice or i don't know some hobby site but you are here because you're a software engineer and you are using it and hopefully you're moving your way of operating stuff to be based on githubs you're probably using one of the github's tools like argo cd or flux to manage the synchronization between what is defined in it and what is the actual state in your clusters if you're confused and you don't know what github sees then the link is above go check it out and it explains what git tops is and afterwards you can check out flux and argo cd but all that doesn't matter really because you are starting stuffing it you're storing manifests of your deployments you're storing your source code and so on and so forth what you're probably not storing those are secrets because that would be silly right it would be silly to store your passwords and authentication tokens and what's not in git right that would be insecure you would get fired probably so what are you doing are you using hashi vault are you using secrets managers from aws azure or google or something like that but wait let's go back for a second why are you not storing everything in git including secrets is it too dangerous is it insecure will you get fired now what if i tell you that git can be the full the complete source of truth of the desired state of everything including secrets what if i tell you that we can and we should store secrets in git and that you will not get fired because of that and what if i tell you that that happens to be probably the best way to treat manifests including secrets in the same time very secure and one more thing what if we can make all that be very easy wouldn't that be tempting let's explore how we can store everything in it i mean you know how to store everything in git but how we can include secrets together with everything else you're storing it and we are going to use sealed secrets from bitnami to do just that so what do we need we need a kubernetes cluster this is did i mention this is going to be about storing secrets that are used in kubernetes not somewhere else there are solutions non-kubernetes solutions but today it's going to be about kubernetes and you probably noticed almost everything is about kubernetes today so we need the kubernetes cluster create one create a kubernetes cluster right away if you don't have one i will be using what am i using today yes i will be using mini cube it could be docker desktop it could be gt eks aks anything you want a kubernetes cluster i assume that you have cube cattle and we will need two more things uh beyond the obvious one is cubesale cli i will provide the link to the cubeseal project from where you can install cubesale cli so that's the one cubesale let's say help right i have already that cli installed so install cubes cubesale cli and the instructions are on the project page and the link to the project page is in the gist which is in the description of this video and one more thing we need one more thing and that is to install the controller inside of the cluster you will see what it's good for why do we want controller for now just install it again the instructions are in the in the gist so tube cut will apply and then the pot to the controller that is stored in the git repository of the project and there we go no not yet one two three there we go controller is installed you can ignore the warnings uh there will be they will disappear at some moment anyways the controller is installed and now we can explore how we can store secrets in git using seal using ceiling secrets before storing them in git so they are safe and that we can solve one of the big problems of github's and that is how do i store secrets i can store everything you get except secrets well not after this video so let's explore cubesale in 20 minutes or less what is the problem in the first place let's define the problem so let's say that we need to have a secret in our kubernetes cluster how would we normally deal with that that would be something like that cube cuttle dash namespace where do we want to store that secret let's say in the default namespace we want to create secret and let's say that this time it's going to be generic and it's going to be called my secret and what else i will not create it directly in my cluster i could that's what most people do but i don't want to do that because i want to store that secret in my git repository together with the rest of the manifests of this imaginary application so i cannot store cannot create it directly in in kubernetes cluster because that would be well awful i'm not supposed to manage my kubernetes cluster directly i should store all the manifests in git so i will do dry run to demonstrate what happens dry run equals client and what else uh let's say that we're going to generate a secret from literal value that can be other ways to create kubernetes secrets so from literal and it's going to be full equals bar the silly silly silly example and then i'm going to output so this is not creating anything in my cluster uh this is a dry run and i'm going to output it oh i'm missing output is json right so let's see the manifest this will create the manifest for us that we can store in it now if we do this if you would now store this in a file and push it to git then everybody would know that the secret of foo here it is is y m f y now this might sound like it's encrypted by i mean it is but this is base64 encryption this is future me recording later it's not base64 encryption it is base 64 encoding so whenever you hear me saying base64 encryption i wanted to say encoding but i'm too lazy to record the whole video again so this is me correcting myself later base 64 and coding not encryption anybody can can decrypt this by using base64 decryption so uh now that we saw how we can create a secret very quickly let's uh say that we want to starting it we cannot store this file this file this would be silly uh because this can be easily decrypted and we are going to seal it first so let's see how we can do that what is the easiest way to seal a secret encrypt it in a way that nobody can decrypt it nobody can figure out what the secret is without decrypting it and nobody can decrypt it without having access to our cluster so it's relatively safe and one more thing you will not get fired you will not lose your job for doing what i'm doing so we're going to seal the secret how do we do that i'm going to pipe this this definition this secret that is easily readable to cube seal and then i'm going to store the output in the file my secret uh this is safe you will see soon why it is okay to store it in a file this time and it wasn't uh before so this is what we got this time now this is almost the same as what we had before except that the value of fu is now this now you cannot base 64 decrypt this i mean you can try to decrypt it but you will not get anything meaningful so we have a file that has a secret but secret is encrypted and what we can do now we can say cube cattle create imagine stop stop stop stop stop stop let me stop myself what are you doing victor imagine that we pushed now this to get imagine that i'm not going to push it to get because there is no reason you you have imagination big enough to imagine it so we push the secret to get and now some github stool like argo cd or flux will would deploy that secret to our cluster but i didn't want to complicate it today so i'm going to apply this secret directly to the cluster even though you shouldn't be doing it you shouldn't modify the state of your cluster directly so i'm going to create a secret uh that is stored in that file remember this is now sealed secret this is not secret that can be encrypted by anybody but but who yes but cube seal controller that is already running in the cluster the one that we installed before so uh cube cattle create and then file name is going to be my secret.yaml and now this secret is created in a cluster but it's not the same as what you see here in a file it's not the same cubesale decrypted this and stored it in a cluster so in other words we are encrypting manifests that can be decrypted only by the controller running in a cluster so only those who have access to specific namespace and specific resources in our cluster can and can decrypt this secret and in this case it was decrypted automatically you will see soon how and why that happened but for now what is important is that we have two things we created two things one is the manifest that contains the secret that is encrypted that is sealed and can be safely stored in a git repository and the other thing that happened is that when we created a secret inside of the cluster that secret was encrypted when it entered the cluster and then cube seal decrypted it and provided to our resources decrypted section the real secret the one that is um that should be used by our applications and for that the definition that cube seal created out of the normal let's say definition is slightly different but so instead of having the secret instead of creating the secret itself we're creating seal secret and then bitnami seal secrets decrypted that secret inside of the cluster you will see soon how that happened and why that happened actually as a matter of fact let's take a quick look now what we got in a cluster so if i do cube cuttle get secret remember we did not create a secret we created sealed secret that is encrypted and then cubesale converted it into real secret whatever that means so if you say cube cattle get secret my secret my secret and the output let's say is yaml this is what we got where is it where is it it should be somewhere at the top here we go data foo equals ymfy which is base64 but not really sealed secret so we created a cube seal secret we started in it or supposed we saw starting it we created that resource in a kubernetes cluster and then cubesale made sure that it is decrypted and we can see that the real secret is created for us by cubesale the data has the key and the value that is base64 encoded because that's how kubernetes digits work and is there anything yes and there is another thing here you go here we can see that owner references are pointing to bitnami controller called sealed secret so from now on this secret is not managed by us it is managed by bitnami a vietnamese sealed secrets and we are creating sealed secrets and not secrets anymore and they're safe to be stored in git so uh let's confirm that if i output this secret again but this time is what should output json but right and the value can be let's take a look at data full the key that we stored and we're going to what is the output the output is this y m f y but if we base 64 uh it and maybe add an empty line at the bottom we see that the value is bar that is the value that we created initially that is sealed all we have to do is pass secrets through cubesale cli that converts those manifests into cubed sealed secrets that are saved to be stored in it and then we can apply them in a cluster one way or another whichever tool you're using and that's that's all there is it's as simple as it can get but very safe nobody and i repeat nobody can and decrypt unseal your secrets except those who have access to your kubernetes cluster there is not much more to say about sealed secrets they are simple and simplicity is a good thing but don't think that because it's simple it's not good it's excellent it is a missing piece towards github spot towards being able to define everything literally everything and store in git without some way to seal to encrypt secrets and store them in it we cannot say that we are applying guitars we cannot say that the source of truth is in git the best we can do is say hey git is the source of truth for everything except secrets with the solution similar like bitnami sealed secrets or something like that we can say hey everything we do is in git and this was the missing piece this is this was missing from the whole idea about the full desired state being stored in it a missing piece that is very welcome now with sealed secrets or something similar you can finally say that git is the complete full ultimate source of truth the source of the desired state everything is starting it and then you can use flux or argo cd hey links are above somewhere to manage your deployments your state from git into your cluster thank you for watching see you next time is there anything else can i say anything else interesting about this this is going to be the shortest video ever i love the idea that there is nothing i can talk beyond five minutes about the technology and that technology is awesome brilliant

Info

Channel: DevOps Toolkit by Viktor Farcic

Views: 5,423

Rating: 4.9307361 out of 5

Keywords: kubernetes secrets tutorial, Viktor Farcic, kubernetes secrets and configmaps, sealed secrets flux, secrets, sealed secrets argocd, k8s, sealed secrets tutorial, kubernetes secrets management, sealed secrets kubernetes, Sealed Secrets, secret, sealed secrets example, Kubernetes, kubernetes secrets encryption, kubernetes secrets example, sealed secrets bitnami

Id: xd2QoV6GJlc

Channel Id: undefined

Length: 16min 59sec (1019 seconds)

Published: Wed Jan 06 2021