GitOps - Store Secrets

因為 GitOps 需要將所有的 config(yaml) 包含 secret 都存在 Git 上，Kubernetes Secret 基本上也算是明文，為了更完善 GitOps，我們必須加密 secrets，再推上 Git Repo。

在本地端加密 secrets.yaml，透過 sealed-secrets 解密，還原 kubernetes secrets。

release=$(curl --silent "https://api.github.com/repos/bitnami-labs/sealed-secrets/releases/latest" | sed -n 's/.*"tag_name": *"\([^"]*\)".*/\1/p')

# Install client-side tool into /usr/local/bin/
GOOS=$(go env GOOS)
GOARCH=$(go env GOARCH)
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/$release/kubeseal-$GOOS-$GOARCH
sudo install -m 755 kubeseal-$GOOS-$GOARCH /usr/local/bin/kubeseal

# Note:  If installing on a GKE cluster, a ClusterRoleBinding may be needed to successfully deploy the controller in the final command.  Replace <your-email> with a valid email, and then deploy the cluster role binding:
USER_EMAIL=rammus.xu@swag.live
kubectl create clusterrolebinding $USER-cluster-admin-binding --clusterrole=cluster-admin --user=$USER_EMAIL

# Install SealedSecret CRD, server-side controller into kube-system namespace (by default)
# Note the second sealedsecret-crd.yaml file is not necessary for releases >= 0.8.0
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/$release/controller.yaml
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/$release/sealedsecret-crd.yaml

Create secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
  namespace: argocd
type: Opaque
data:
  mykey: bXlrZXk=

Encrypt secret.yaml:

kubeseal <secret.yaml >encrypted.yaml --format yaml

產生 SealedSecret CRD encrypted.yaml:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: mysecret
  namespace: argocd
spec:
  encryptedData:
    mykey: AgBiEzc5KIX5FqpR8ommE2avZf7qmfIO3WcMbllnfERcs7rYPThhhAARtFm4KFtjnqGDhe5VkrDR1GrEGkBGwrqTjhLaaEDZVwMdeKCXF1H8893ksX+pxy670LIMbNbRCNFhPAOihkncXp7S6AjyILpdpZJEk/6/GwRtaDDImbe/R6REgATVXAzNNiCw3Zq2vHzKSdeAwYYGrH9fcMXy0RIeiUzUo8ylVL7IYmiitBtXIyH5fz+2zq/D+v4vGt425wQXCk9s1z/6sAtL1+voV7t0sLlTnGOkAk8Cnz8hhQzXdiucFyIeIzrqzJwB2L+MoAy0RxawiyZNpKbRsb8tZH2rGTgjF+M6+nUbGlH0n5BBKOocSbVpoa5aBGP7q1dGP+hI+fDbUzg/t0PJNIEag9Kq4VkbdZPzqG35Fe8ysrGaALEeuK9VmkujFugoGXj9MyNL1z+RjBXUTUaxnzRmsJRwL5+AMC1hMMpeyH1y2NNXBOUYB2GKxHBHTKfZVKQThi82lEwCcuRypUFtaHh7aNH2j6Vk3bWMItO4I9nP++yRmuiK9F4ISSbcoPTG62Bg5gG9+awde5Ma1urS2fOJfPTft5FAHCwM0fKTvIkj6T5LVfnF/7WArVMwCm+zX3iDwJ5QnIGZ7cYBveJtSQqCzewu/ki0E3LMid4rJKJQiyfMnY2j80Sjija9wJHxo3YIXNO1WPV9Ow==

Apply encrypted.yaml:

kubectl apply -f encrypted.yaml
kubectl get secrets mysecret -o yaml

Get mysecret:

sealedsecret.bitnami.com/mysecret created
apiVersion: v1
data:
  mykey: bXlrZXk=
kind: Secret
metadata:
  creationTimestamp: "2019-07-17T08:42:38Z"
  name: mysecret
  namespace: argocd
  ownerReferences:
  - apiVersion: bitnami.com/v1alpha1
    controller: true
    kind: SealedSecret
    name: mysecret
    uid: d50676ae-a86e-11e9-bfe3-42010a8c0104
  resourceVersion: "96285790"
  selfLink: /api/v1/namespaces/argocd/secrets/mysecret
  uid: d50b582b-a86e-11e9-9599-42010a8c010e
type: Opaque

結論

所以我們只要把 encrypted.yaml 推上我們的 Git Repo，讓 GitOps 工具(Argo, Flux, …)自動部署到 cluster，sealed-secrets Controller 將會解密成 Kubernetes secret。

記住，不要把未加密的 secret.yaml 傳到 Git！好好的保留在本機就好。

Other Choices

• kamus
• HashiCrop Vault

Reference

https://github.com/argoproj/argo-cd/issues/1364
https://www.weave.works/blog/storing-secure-sealed-secrets-using-gitops

Read More

• GitOps