Opinionated: Managing Kubernetes Secrets using Bitnami Sealed Secrets & Reloader
Kubernetes, often abbreviated as K8s, is an open-source container orchestration platform that automates the deployment, scaling, and management of containerized applications. Originally developed by Google, Kubernetes has become the de facto standard for managing cloud-native applications and microservices architectures since its release in 2014. It provides a robust framework for running applications reliably across various environments, including on-premises and cloud infrastructures.
Advantages of Kubernetes
Kubernetes offers numerous advantages that enhance application management and operational efficiency some of them are Scalability, High Availability, Resource Efficiency, Portability, Automated Operations, Rolling Updates and Rollbacks, Multi-Cloud Capability, Large Community Support.
Kubernetes have a little problem, it uses encoding instead of encryption to manage secrets. To overcome this, I use Bitnami Secrets to encrypt secrets and Reloader to auto restarts the pod when it detects changes in secrets.
Pre-requisites
- Helm
- Kubeseal
- Kubectl
Installation
Bitnami Sealed Secret
Adding and installing sealed secret using helm.
#adding helm repo
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
#insalling sealed secret (I'm installing on kube-system namespace which is optional)
helm install my-release sealed-secrets/sealed-secrets -n kube-system
As you can see sealed secret pod in running.
Reloader
To install reloader using below kubectl command which will install reloader in default namespace.
kubectl apply -f https://raw.githubusercontent.com/stakater/Reloader/master/deployments/kubernetes/reloader.yaml
As you can see reloader is running on default namespace.
Configuration
Now we need to configure for sealed secret and reloader is which simple just follow the below mentioned steps.
Step 1. Next is fetching private key from sealed secret controller.
kubeseal --fetch-cert --controller-name my-release-sealed-secrets --controller-namespace kube-systemStep 2. Creating an encoded secret. (For this to work make sure to add namespace in secret.)
apiVersion: v1
kind: Secret
metadata:
name: db-secret
namespace: test #Required for sealed secret to work
annotations:
reloader.stakater.com/auto: "true" # use this annotation for realoader to work
type: Opaque
data:
POSTGRES_DB: bXlfZGI=
POSTGRES_USER: bXlfdXNlcg==
POSTGRES_PASSWORD: bXlfcGFzc3dvcmQ=Step 3. Encrypting encoded secret.
kubeseal --controller-name my-release-sealed-secrets --controller-namespace kube-system --format yaml < dummy-secret.yaml > encrypted-dummy-secret.yaml
You will see similar file is created.
Step 4. Adding annotation to deployment manifest.
annotations:
secret.reloader.stakater.com/reload: "db-secret" #Add this for reloader to workStep 5. Deploying encrypted secret and verifying.
kubectl apply -f encrypted-dummy-secret.yaml
As you can see in above screenshot that secret is created and also its automatic get decrypted.
Also we get getting values from the secret properly.
Step 6. Verifying reloader working.
I will change password value and repeat all the steps. (Step 2. Creating an encoded secret)
You can see pod restarts is 0 but when i check using kubernetes execute command, we can see POSTGRES_PASSWORD is changed from my_password to new-password.
For more information you can refer following links.
Bitnami Sealed Secrets- https://github.com/bitnami-labs/sealed-secrets
Reloader- https://github.com/stakater/Reloader
