I just came across the sealed secrets tool https://github.com/bitnami-labs/sealed-secrets for encrypting secrets in kubernetes with added benefits of being able to commit those to git
I am a bit disappointed that such a great tool did not address helm templates by default or as part of the official documentation. I mean for a tool like that, i am not sure if the developers thought of the different ways people use secrets in which helm charts is a great way where we use values template files for different environment.
Anyways here is my setup
secrets.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: demo-app
type: Opaque
data:
ENV1: "{{ .Values.ENV1 | b64enc }}"
ENV2: "{{ .Values.ENV2 | b64enc }}"
ENV3: "{{ .Values.ENV3 | b64enc }}"
here are the values template files for DEV and PROD for example
values-dev.yaml
demo-app:
name: demo-app
replicaCount: 1
image:
repository: example/demo-app
tag: latest
pullPolicy: Always
# secrets
ENV1: 'dev_4rlmerl4om3o'
ENV2: 'dev_eom4om4odl4o'
ENV3: 'dev_38hdineoij4oj3onod4ncen3eiixnknnkejnslrmnomntrcoenkc'
values-prod.yaml
demo-app:
name: demo-app
replicaCount: 1
image:
repository: example/demo-app
tag: 1.0.0
pullPolicy: Always
# secrets
ENV1: 'prod_4rlmerl4om3o'
ENV2: 'prod_eom4om4odl4o'
ENV3: 'prod_38hdineoij4oj3onod4ncen3eiixnknnkejnslrmnomntrcoenkc'
Here is how i deploy the application
DEV
helm upgrade --install demo-app-dev --namespace team1 -f values-dev.yaml .
PROD
helm upgrade --install demo-app-prod --namespace team1 -f values-prod.yaml .
I am trying to use sealed secrets with this scenario but not able to figure out how to without changing my whole structure completely.
you can generate the values_{ENV}.yaml dynamically rather you maintain it and you can delete after the deployments. So next CICD/build will generate for different apps the same
If you want to use sealed secret with helm, you need to update the helm chart and create one new YAML template
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: mysecret
namespace: mynamespace
spec:
encryptedData:
foo: "{{ .Values.ENV1 }}"
so the template will create the sealed secret from values.yaml and K8s secret will get auto-created as mentioned in the documentation of the sealed secrets.
For a different environment, you can generate the values_{ENV}.yaml file. use it as you are doing now with values-dev.yaml
and values-prod.yaml
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.