Bitnami Sealed-Secrets in OKD/OpenShift4

The easiest way to rollout Bitnami Sealed-secrets is to rollout the controller directly via it's yaml file.

Background

Bitnami Sealed-secrets ( https://github.com/bitnami-labs/sealed-secrets ) comes in 2 parts:

1. a kubernetes controller (in namespace infra-sealed-secrets) which watches Custom Resource Definitions (CRD) from type sealedsecret.bitnami.com and generates a secret from exactly this definition. In the CRD is the secret encrypted with the public key of the controller
2. a commandline client kubeseal who contacts the cluster and makes the encryption.

Implementation in OKD / OpenShift 4

What do we do?

• create namespace infra-sealed-secrets
• deploy controller (after security patch)
• aggregate two standard roles to admin and editor roles
• optional install kubeseal client (step 2)

Install in OpenShift / OKD 4

(This one is tested in OKD 4.7 and OpenShift 4.6)

• edit ./config.sh (version number for now ;-))
• login to your cluster with cluster-admin rights
• sh 1-controller-getyaml.sh (this gets the manifest for install)
• sh 2-controller-deploy.sh(this patches the manifest and installs it in the namespace infra-sealed-secrets)
• sh 3-tools-MyOperatingSystem.sh (install kubeseal cmdline client for Windows look at https://github.com/bitnami-labs/sealed-secrets/releases/tag/v0.16.0 )

usage after install

You can generate a secret and make a CRD of it:

• login to your cluster oc login -u myusername

• echo -n banana | oc create secret generic fruitsecret --dry-run=client --from-file=famousfruit=/dev/stdin -o yaml > examples/fruitsecret.yaml This generates our secret:

  apiVersion: v1
  kind: Secret
  metadata:
     creationTimestamp: null
     name: fruitsecret
  data:
     famousfruit: YmFuYW5h
  

• first variant: generate secret online: kubeseal --controller-namespace=infra-sealed-secrets -o yaml < examples/fruitsecret.yaml > examples/fruitsecret-sealed.yaml This makes our CRD:

  apiVersion: bitnami.com/v1alpha1
  kind: SealedSecret
  metadata:
  creationTimestamp: null
  name: fruitsecret
  namespace: develop
  spec:
  encryptedData:
     famousfruit: AgBBgDrXvsrR1qJ3Lg3W2stihNb1fTvwksCIH8puF8vcHB8S6wq88CbPJuYn6qRJ/aonzNxwGoarUAh1+WzS05X92RtburSNdC9+VJPgSChNfNUGWR2S9jts1IDECwmiHKA+NKn77Pm1Pw1XJhk7Yfi1bVNiEqRk0iutUv9muXXNEBpndK8QYWAKU8SAbl5NFvNRqWWJ7BCWzpbOKsnPPjBAj4JPwBdrAzQR/9rUJL/UHSl34+hFcPd2Q0MXZJQpQYn2qXyTxER1J1nJtTxkRNvuZeDSgRRykgpY+aYvAHY/+dSUc9iY9ygFVittOfmGFQENkHvDAAi2pl93yBqQ7Rs1jZvPTdixbHVKiMFlpyifiU2xdYAFQHaiqap09ESovlTXmuWjqEH0q5Lvuj6+dNI+soN0q8fuG9C/qteO3JA1CiujfAC4WHTJMOiG3Eq2AuCaXFiNlm4uSdLvj/XmqfS4KTCPnfvkgbh4mDl51uV8neCfeoS20QJVulh6r65QqxxCZbJoramh9wmkFQi2dYw9VAoIjDRqxqbk2oneG+gQfzg0L58JQxYQljuvjFJlo48C5aGOeDWjHNQku+e51/A0gt7lZBsR3ubWX1ZBoKhTvZKnC75o9l9w/f6cCox9TLiahlhdMk6GDxWEYaRlXyWKXB9M0X1XBua2pedML4R6Z3XBSfCHIonM/c69XUvLWqAYmWKc3P8=
  template:
     data: null
     metadata:
        creationTimestamp: null
        name: fruitsecret
        namespace: develop
  

• second variant: get the key and encrypt offline (not advised, but possible ;-)):

  • get public key: kubeseal --fetch-cert --controller-namespace infra-sealed-secrets > examples/cert.pem
  • generate CRD offline: kubeseal --cert examples/cert.pem -o yaml < examples/fruitsecret.yaml > examples/fruitsecret-seales-offline.yaml

• now you can import this with oc apply -f examples/fruitsecret-sealed.yaml(or with ArgoCD, ...)

DANGER: this generated secret is encoded with your sealed-secret cluster certificate and the secret name AND the namespace is also in the encryptedData. Though you cannot move the encrypted thing you have to reencrypt it or override it ( https://github.com/bitnami-labs/sealed-secrets#scopes )

Misc

There's a small example shellscript ./secretfiller.sh as a starting point for your autmoation. I'm using this to generate my SealedSecret CRD's inside Git for my ArgoCD deployments.

---

Peter Pfläging <peter@pflaeging.net> (this work is under Apache 2.0 license)