Responsible: #DevOps
This plugin is used to generate sealed secrets out of secrets. It supports template files with vault paths. This way, you can store both the template and their rendered representation in git.
For Development see the development section
- We are using the
kubesealbinary and expect it to be installed. - go version at least 1.17
helm plugin install https://github.com/actano/helm-sealed-secretsNAME:
helm-sealed-secrets - Seal your secrets
USAGE:
helm-sealed-secrets [global options] command [command options] [arguments...]
VERSION:
X.X.X
COMMANDS:
enc encrypt a secret template into a sealed secret
enc-dir encrypt all secret templates in a directory structure
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--config-file value Config file to configure the other flags (default: ".sealed-secrets.yaml")
--vault.token-file value Location of the vault token file (default: "~/.vault-token")
--vault.address value Vault API endpoint [$VAULT_ADDR]
--sealed-secrets.public-key value Path to a file which contains the public key for sealing the secrets.
--sealed-secrets.controller-namespace value The namespace in which the sealed secrets controller runs. Only used if the sealed-secrets.public-key flag is not set.
--help, -h show help
--version, -v print the version
The following options may also be defined via a config file in YAML format:
vault.addresssealed-secrets.public-keysealed-secrets.controller-namespace
The path to the config file can be specified with the global --config-file flag and defaults to .sealed-secrets.yaml in the current working directory.
Example config YAML:
vault:
address: https://vault.example.com
sealed-secrets:
# controller-namespace: sealed-secrets
public-key: cert.pemRead these examples to see how the plugin works.
Single file
helm sealed-secrets enc secret-templates/releases/allex-calendar/calendar-postgres-credentials.template.yaml kubernetes-resources/releases/allex-calendar/calendar-postgres-credentials.sealed.yamlReseal all secrets (usually this is not what you want)
helm sealed-secrets enc-dir secret-templates kubernetes-resourcesSpecify a secret template my-secret.template.yaml.
apiVersion: v1
kind: Secret
metadata:
name: my-secret-name
namespace: dev
type: Opaque
data:
username: {{ vault "secret/myservice/admin-user" "username" }}
password: {{ vault "secret/myservice/admin-user" "password" }}Executing
helm sealed-secrets enc my-secret.template.yaml my-secret.yamlgives you a file my-secret.yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: my-secret-name
namespace: dev
spec:
encryptedData:
username: 7tgrVWorKLqoZc...
password: LbeaMTWxTpWAKD...The names of your secret templates must match the pattern <name>.template.yaml.
Given this file structure
โโโ secret-templates
ย ย โโโ releases
ย ย โโโ dev
ย ย โย ย โโโ my-secret.template.yaml
ย ย โโโ prod
ย ย โโโ my-secret.template.yaml
Executing
helm sealed-secrets --vault.token-file /Users/myuser/.vault-token enc-dir ./secret-templates ./secret-sealedwill create the folder structure below ./secret-sealed and write the sealed secrets in the corresponding folders as <name>.sealed.yaml.
โโโ secret-sealed
ย ย โโโ releases
ย ย โโโ dev
ย ย โย ย โโโ my-secret.sealed.yaml
ย ย โโโ prod
ย ย โโโ my-secret.sealed.yaml
This plugin is open source & built by travis.
- Deploying a new version (only needed if the go code changed):
./set_version.sh 0.16.5(this creates a new version and tags it)git push --tags && git push
The deployment uses github releases as defined in ./travis.yml.
The deployment token is created as documented in here.
Recreate the token:
- create a token in your github account with 'global_repos' permission
travis encrypt -r actano/helm-sealed-secrets --com- enter the token
- Replace the api_token content with the resulting string