Poc-sealed-secrets - An alternative to store sensitive data in the template Secrets Kubernetes an encrypted way

Related tags

App poc-sealed-secrets

Overview

POC Sealed Secrets

Overview

Proof of concept with the objective of showing an alternative to store sensitive data in the template Secrets Kubernetes an encrypted way, so that we can leave it recorded inside some git repository (github, gitlab etc).

Problem

We can't expose sensitive data just encoded in our git repositories.

Solution

Encrypt the sensitive data contained in the template secret Kubernetes using SealedSecret.
"The SealedSecret can be decrypted only by the controller running in the target cluster and nobody else (not even the original author) is able to obtain the original Secret from the SealedSecret."

Requirements

Testing

Create a cluster with registry:

$ make create-cluster-with-registry

Check the status of the cluster and registry:

$ docker ps

Expected:

CONTAINER ID        IMAGE                  COMMAND                  CREATED             STATUS              PORTS                       NAMES
fca935967b37        kindest/node:v1.19.1   "/usr/local/bin/entr…"   11 hours ago        Up 6 hours          127.0.0.1:33087->6443/tcp   kind-control-plane
17ef425d81a6        registry:2             "/entrypoint.sh /etc…"   11 hours ago        Up 6 hours          127.0.0.1:5000->5000/tcp    kind-registry

Install the Custom Controller and CRD (Custom Resource Definition) for SealedSecret:

$ make install-controller-kubeseal

Check the status of the controller pod:

$ kubectl get pods -n kube-system | grep sealed-secrets-controller

Expected:

sealed-secrets-controller-5556b8c9bd-wt95s   1/1     Running   1          10h

Create SealedSecret YAML manifests with Kubeseal:

Use the template /tools/basesecret.yaml with example.

make create-secrets-kubeseal

Expected type:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: poc-sealed-secrets
  namespace: default
spec:
  encryptedData:
    application.yaml: AgAV97KIg5vkhdCa5fGvmvVrkGyIHXh25ULDdwiL6E7p3SoCb15m8VaiMhqO0bjnrC2bnQHjaR4qe6oCwOx8OnoIyxoQYTMrHCFnhf8XAmxdUTS3O1LgZm6sdSnZ7GkgKc017NvlKKmOwxDuk9bK+uu1kEhCickK61FkGXULeJMgVWl74y2NhH1CY142LoSX5WylVFjCKV6qJd3EKDP0V5SqOpDFkFKaSOI5xxXmF8CGtgj7sGmaFYf63y1oHBG6HWNEenz2wFlQPGpDPBwLsRZo7I1WjWj6R0GDnJTjVzibok6HMxpU+6oxtFE+Bfx36h+oy9ncPneYGjJLU0J7poqlVVVmNV93pNsr6FjA+LZqEXbuVIbvbx7DdDz3+IoqteYm6tSV4ylbUUaNsj5aR0hNrfGkJubzQA2PmgtT8I/JEaAvv3rj6Q0G+4xSLIzv+T5NlttNul2NL4x5HImFZXosIgtp6IJlMs47G31Xhvku65e4liKr0nYO4H/BXWig1EWdXs0JIk8pKwGvCLFQ+FtoHbSNJUFaGWImi9k2WMK49K6593eNHDKe/biUut+NLAe47O5/mKu5l1aPsGZTQZ6+tGzlFg68xE1YFJ2DfvVBsiGmNfGazTncW+eC/wpbhs66gd5HOohfn98K4jDyxg4DY2fBKsU0H+5WcjAP/nbe6JZGkbLWHK06vGRqX9XNN3w3glNkdTLHOxzif/gXXH3GIs7XhDE39iQ7V8oU5y7a7GDy
  template:
    data: null
    metadata:
      creationTimestamp: null
      name: poc-sealed-secrets
      namespace: default
    type: Opaque

Build poc and generate image:

$ make docker-build

Push image a local registry:

$ make docker-push

Create deployment

$ make create-deployment

Check deployment:

$ kubectl get pods

Expected:

NAME                                  READY   STATUS    RESTARTS   AGE
poc-sealed-secrets-6b8784df75-xwxbn   1/1     Running   0          5h30m

Test decryption:

kubectl logs poc-sealed-secrets-6b8784df75-xwxbn

Expected:

 __  __ _                                  _   
|  \/  (_) ___ _ __ ___  _ __   __ _ _   _| |_ 
| |\/| | |/ __| '__/ _ \| '_ \ / _` | | | | __|
| |  | | | (__| | | (_) | | | | (_| | |_| | |_ 
|_|  |_|_|\___|_|  \___/|_| |_|\__,_|\__,_|\__|
  Micronaut (v2.5.13)

18:27:12.634 [main] INFO  i.m.context.env.DefaultEnvironment - Established active environments: [k8s, cloud]
18:27:13.303 [main] INFO  com.example.POCSealedSecrets - [com.example.POCSealedSecrets] - sensitive data: data encrypted
18:27:13.304 [main] INFO  io.micronaut.runtime.Micronaut - Startup completed in 747ms. Server Running: http://poc-sealed-secrets-6b8784df75-xwxbn:8080

References

Sealed Secrets Github

You might also like...

AptiBit is an android application that uses Firebase firestore to store the questions and categorize different types of aptitude questions into their categories

AptiBit is an android application that uses Firebase firestore to store the questions and categorize different types of aptitude questions into their categories. It also uses firebase authentication service that allows you to sign in to the app using your custom credentials.

3 Jun 13, 2022

COVID-19 Check-in solution for store using a safe number based on MVVM model.

wave-in-listener English version : README_EN.md wave-in-listener 는 매장에 방문한 고객의 개인안심번호를 음파통신을 이용해 수신할 수 있는 앱입니다. 이 앱은 wave-in-speaker 앱과 함께 사용됩니다. wave

14 Jul 25, 2022

Application that shows a store's phone inventory

PhoneInventory Application that shows a store's phone inventory The Basics A basic inventory application that shows a store's inventory. Tech Kotlin 1

0 Nov 3, 2021

You can store all your password, bank details, card details in one place and remember only one master PIN. The application works totally offline.

Keep Password An application where you can store all your password, bank details, card details in one place and remember only one master PIN. The appl

4 Apr 18, 2022

It is an Android app that uses an SQLite database to store an inventory of products

A project completed for a Udacity course. It is an Android app that uses an SQLite database to store an inventory of products. Each product’s name, price, quantity available, supplier, and picture are tracked. The main screen lists all products in a list and provides a button to add a new product. Clicking on a product shows a detailed view for that product. Options to modify or delete the product are available in this detailed view.