K
Q

How to use kubernetes sealed secrets with helm templates

10/14/2021

I just came across the sealed secrets tool https://github.com/bitnami-labs/sealed-secrets for encrypting secrets in kubernetes with added benefits of being able to commit those to git

I am a bit disappointed that such a great tool did not address helm templates by default or as part of the official documentation. I mean for a tool like that, i am not sure if the developers thought of the different ways people use secrets in which helm charts is a great way where we use values template files for different environment.

Anyways here is my setup

secrets.yaml

---
apiVersion: v1
kind: Secret
metadata:
  name: demo-app
type: Opaque
data:
  ENV1: "{{ .Values.ENV1 | b64enc }}"
  ENV2: "{{ .Values.ENV2 | b64enc }}"
  ENV3: "{{ .Values.ENV3 | b64enc }}"

here are the values template files for DEV and PROD for example

values-dev.yaml

demo-app:
  name: demo-app
  replicaCount: 1
  image:
    repository: example/demo-app
    tag: latest
    pullPolicy: Always

secrets

ENV1: 'dev_4rlmerl4om3o' ENV2: 'dev_eom4om4odl4o' ENV3: 'dev_38hdineoij4oj3onod4ncen3eiixnknnkejnslrmnomntrcoenkc'

> values-prod.yaml

demo-app: name: demo-app replicaCount: 1 image: repository: example/demo-app tag: 1.0.0 pullPolicy: Always

secrets

ENV1: 'prod_4rlmerl4om3o' ENV2: 'prod_eom4om4odl4o' ENV3: 'prod_38hdineoij4oj3onod4ncen3eiixnknnkejnslrmnomntrcoenkc'

Here is how i deploy the application


> DEV

helm upgrade --install demo-app-dev --namespace team1 -f values-dev.yaml .

> PROD

helm upgrade --install demo-app-prod --namespace team1 -f values-prod.yaml .

I am trying to use sealed secrets with this scenario but not able to figure out how to without changing my whole structure completely.
-- uberrebu
kubernetes
kubernetes-helm
kubernetes-secrets

Similar Questions

How to configure kube-proxy to serve from local node only
Error when trying to create Kubernetes job
Not able to see Pod when I create a Job
How to parse JSON format output of "kubectl get pods" using jq and create an array
Resolve ip addresses of a headless service

2 Answers

1/19/2022

you can generate the values_{ENV}.yaml dynamically rather than maintaining it, and then you can delete after the deployments. This way, the next CI/CD build will generate the same for different apps.

-- Anand Badiger
Source: StackOverflow
1/19/2022

If you want to use sealed secret with helm, you need to update the helm chart and create one new YAML template 

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: mysecret
  namespace: mynamespace
spec:
  encryptedData:
    foo: "{{ .Values.ENV1 }}"

so the template will create the sealed secret from values.yaml and K8s secret will get auto-created as mentioned in the documentation of the sealed secrets.

For a different environment, you can generate the values_{ENV}.yaml file. use it as you are doing now with values-dev.yaml and values-prod.yaml

https://github.com/bitnami-labs/sealed-secrets#overview

-- Harsh Manvar
Source: StackOverflow