K
Q

How to prevent pushing Kubernetes Secrets into git repository?

12/5/2019

So I have this manifest in my project:

apiVersion: v1
kind: Secret
metadata:
  name: cambiotoday-secret-key
  namespace: default
type: Opaque
stringData:
  ct-key: <my_third_party_service_key>
---

# The rest of it, deployment and service.
...

And I'm trying to look for a way where I can push this manifest into my git repository but without publishing the actual key in it.

I'm using Skaffold to build my kubernetes application.

According to the K8S documentation:

If your application uses the following configuration file:

apiUrl: "https://my.api.com/api/v1"
username: "user"
password: "password"

You could store this in a Secret using the following:

apiVersion: v1
kind: Secret
metadata:
 name: mysecret
type: Opaque
stringData:
  config.yaml: |-
    apiUrl: "https://my.api.com/api/v1"
    username: {{username}}
    password: {{password}}

Your deployment tool could then replace the {{username}} and {{password}} template variables before running kubectl apply.

What deployment tools? That looks like exactly what I need but I don't know how to set it up.

-- RottenCheese
devops
kubernetes
skaffold

Similar Questions

using kustomize to modify nodeSelector's
GKE is built by default in Anthos solution ? Getting Anthos Metrics
env vars in postgres deployment not working
Azure Functions support for authentication with HTTP trigger running in Kubernetes
Give access to single pod in kubernetes using RBAC
The results of `aws eks list-nodegroups` and `eksctl get nodegroups` are inconsistent

3 Answers

12/6/2019

I think a pretty neat way is to store your credentials (username/ password/ secretkeys etc) in a vault such as lastpass, which comes with a CLI and works really well with k8s. It also makes it easy to manage shared credentials in a team :) https://engineering.upside.com/synchronizing-kubernetes-secrets-with-lastpass-584d564ba176

-- julian
Source: StackOverflow
12/5/2019

Have a look at sealed-secrets, it allows you to put an encrypted version of your secrets in Git.

As for deployment tools that allow you to template your YAML, have a look at Helm, Kustomize or many of the other similar tools. If that doesn't work for you, a little bit of scripting should get your there as well.

-- Niels Slot
Source: StackOverflow
12/6/2019

There are some popular techniques to do this task:

  1. Sealed-secrets: Check here You can actually encrypt your complete secret YAML into the sealed secret that will decrypt again at the Kubernetes cluster level using tool kubeseal. And you can commit sealed secret in git or any SCM.

    It also has lot other features for better security such as Secret Rotation, Early key renewal (in case of compromise)

  2. Vault : Check here This tool is available in the community as well as an enterprise edition. It included a lot of other features.

  3. Kamus : Check here

and other tools.

if your requirement is not that large, a Sealed Secrets would work for you.

  • Usage of Sealed Secret:
# Create a json/yaml-encoded Secret somehow:
# (note use of `--dry-run` - this is just a local file!)
$ echo -n bar | kubectl create secret generic mysecret --dry-run --from-file=foo=/dev/stdin -o json >mysecret.json

# This is the important bit:
$ kubeseal <mysecret.json >mysealedsecret.json

# mysealedsecret.json is safe to upload to github, post to twitter,
# etc.  Eventually:
$ kubectl create -f mysealedsecret.json

# Profit!
$ kubectl get secret mysecret

This way your secret is deployed. And you stored the encrypted JSON in git.

-- Umesh Kumhar
Source: StackOverflow