6.2 Secret Sealing

Until this point, we have a fully-featured and complete pipeline solution that integrates CI/CD, GitOps, IaC and container orchestration both on-premise and cloud-based. However, there is a specifc type of resource that we have not covered: secrets.

Traditionally, Kubernetes secrets are stored in plaintext within the cluster, which poses a security risk if unauthorized access occurs. Bitnami Sealed Secrets addresses this concern by leveraging asymmetric encryption (RSA) to encrypt the secrets before storing them in the cluster and in the Git repositories (using AES-GCM mode).

This new ‘SealedSecret’ custom resource is safe to share publicly, and only can be decrypted by the controller within the cluster and recover the original ‘Secret’. This implementation consists of two key components:

• In-cluster API controller
• Local ‘kubeseal’ CLI tool

$ echo -n "bar" | kubectl create secret generic example --from-file=foo=/dev/stdin > example.yaml

apiVersion: v1
kind: Secret
metadata:
  name: example
  creationTimestamp: null
data:
  foo: YmFy

As seen, the values for all keys in the data field have to be base64-encoded strings (by default). This, therefore, does not provide any security, so it is not feasible to manage it from a repository.

$ kubeseal < example.yaml > example.enc.yaml

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: example
  creationTimestamp: null
spec:
  template:
    metadata:
      name: example
      namespace: default
      creationTimestamp: null
  encryptedData:
    foo: <ENCRYPTED-AES-GCM>

With this simple but effective approach, we have the last component that composes the Pronghorn pipeline, capable of managing everything through Git repositories in an automated way.