Recently I explained how Hashicorp Vault can be used to manage secrets effectively, this means that the secret does not stay in you Git repository, or any other storage system for retrieval. All secrets or sensitive credentials are stored directly on Hashicorp Vault. What if you want to keep secrets in Git or another storage engine and retrieve it when needed, how do you ensure the security of the credentials. Bitnami Sealed Secrets can help you achieve that.
What is Bitnami Sealed Secrets
Bitnami Sealed Secrets is a tool for securely managing Kubernetes secrets. It allows you to encrypt sensitive information (like passwords or API keys) into “sealed secrets” using a public key. Only the Kubernetes cluster with the corresponding private key can decrypt and use these secrets. This makes it safe to store and share encrypted secrets in version control systems like Git, reducing the risk of exposing sensitive data. The secrets can also be stored in other storage engines like Amazon S3, GCS, and Azure Blob Storage
How It Works
Encryption: A SealedSecret is created by encrypting a Kubernetes Secret using a public key (generated by the Sealed Secrets controller). The encrypted SealedSecret can be stored in Git or other version control systems.
Decryption: The Sealed Secrets controller running in the Kubernetes cluster holds the private key. When the SealedSecret is applied to the cluster, the controller decrypts it and creates a standard Kubernetes Secret.
Security: Only the cluster with the private key can decrypt the SealedSecret. The public key can be shared freely, as it cannot be used to decrypt the secrets.
Benefits of Sealed Secrets
Enhanced Security: Sensitive data is encrypted and only decrypted within the cluster.
GitOps Friendly: Encrypted secrets can be safely stored in Git repositories.
Automation: Works seamlessly with CI/CD pipelines for automated deployments.
Use Cases
Storing database credentials, API keys, or TLS certificates in Git.
Securing sensitive data in multi-environment setups (e.g., dev, staging, production).
Enabling secure collaboration in teams by sharing encrypted secrets.
Example: Using Sealed Secrets
Step 1: Install Sealed Secrets Controller
Deploy the Sealed Secrets controller in your Kubernetes cluster:
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.20.5/controller.yaml
Step 2: Generate a Kubernetes Secret
Create a standard Kubernetes Secret (e.g., my-secret.yaml):
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
username: dXNlcm5hbWU= # base64-encoded “username”
password: cGFzc3dvcmQ= # base64-encoded “password”
Step 3: Encrypt the Secret into a SealedSecret
Use the kubeseal CLI to encrypt the Secret:
kubeseal -f my-secret.yaml -o yaml > sealed-secret.yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: my-secret
spec:
encryptedData:
username: AgBy3i4OJSWK+…
password: BgBy3i4OJSWK+…
Step 4: Apply the SealedSecret to the Cluster
Apply the SealedSecret to your Kubernetes cluster:
kubectl apply -f sealed-secret.yaml
Step 5: Verify the Secret
The Sealed Secrets controller will decrypt the SealedSecret and create a standard Kubernetes Secret:
kubectl get secret my-secret -o yaml
You can learn more about SealedSecrets from the official Github Repository.
Slapping a UI for better Interactivity
From the previous guide, the process of generating secrets is via the CLI. What if you are lazy like me and might not like to use the CLI all the time. Well the good news is there is a UI version of it. Sealed Secrets Web is a web-based interface for Bitnami’s Sealed Secrets, designed to simplify the management of Kubernetes secrets. It allows users to encode and decode secret data, load existing Sealed Secrets, and create new ones without requiring direct cluster access via kubectl. The interface leverages the Sealed Secrets service API to securely encrypt secrets. Key features include Base64 encoding of keys in the stringData field and decoding of keys in the data field, listing all Sealed Secrets across namespaces with the ability to view decrypted secrets, encrypting Kubernetes secrets to generate Sealed Secrets, and validating Sealed Secrets for correctness. This tool is installed within the Kubernetes cluster, enabling developers to manage secrets efficiently and securely.
How to Install Sealed Secrets Web
To install Sealed Secrets Web run the following commands
helm repo add bakito https://charts.bakito.net
helm repo update
helm upgrade –install sealed-secrets-web bakito/sealed-secrets-web
You can learn more about SealedSecrets Web from the official Git Repository.
Conclusion
SealedSecrets is another way to manage secrets and sensitive credentials in Kubernetes. It gives the assurance of the secrets being secured even if they are stored in a Github repository, which is usually not a good practice. Having a UI on top of SealedSecrets is the cherry on the cake. This gives the option of using the UI if you do not fancy the CLI option for secret generation.
If S3 is used to store encrypted secrets how do you ensure the S3 bucket is secured? Follow these essential tips to ensure the security of your S3 Bucket and objects in it
