Sealed Secrets is a bitnami Kubernetes operator aimed to one-way encrypt secrets into sealed secrets so that they can be safely checked-in into GitHub or other VCS. It’s rather easy to install and use Sealed Secrets in a Kubernetes cluster on AMD64 architecture, but not so on my Raspberry Pi cluster.
First, the container image for the sealed-secrets-controller wasn’t built for ARM architecture. I managed to build it in my Raspberry Pi 2 with following commands:
git clone https://github.com/bitnami-labs/sealed-secrets.git
cd sealed-secrets
# golang build tools are needed here
make controller.image
# you can tag it to your docker registry instead of mine
docker tag quay.io/bitnami/sealed-secrets-controller:latest raynix/sealed-secrets-controller-arm:latest
docker push raynix/sealed-secrets-controller-arm
The next step is to use kustomize
to override the default sealed-secrets
deployment schema to use my newly built container image that runs on ARM
# kustomization.yaml
# controller.yaml is from https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.7/controller.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: sealed-secrets
images:
- name: quay.io/bitnami/sealed-secrets-controller
newName: raynix/sealed-secrets-controller-arm
newTag: latest
patchesStrategicMerge:
- patch.yaml
resources:
- controller.yaml
- ns.yaml
# ns.yaml
# I'd like to install the controller into its own namespace
apiVersion: v1
kind: Namespace
metadata:
name: sealed-secrets
# patch.yaml
# apparently the controller running on Raspberry Pi 4 needs more time to initialize
apiVersion: apps/v1
kind: Deployment
metadata:
name: sealed-secrets-controller
spec:
template:
spec:
containers:
- name: sealed-secrets-controller
readinessProbe:
initialDelaySeconds: 100
Then the controller can be deployed with command kubectl apply -k .
The CLI installation is much easier on a Linux laptop. After kubeseal
is installed. The public key used to encrypt secrets can be obtained from the controller deployed above. Since I installed the controller in it’s own namespace sealed-secrets
instead of the default kube-system
the command to encrypt secrets is a bit different:
kubectl create secret generic test-secret --from-literal=username=admin --from-literal=password=password --dry-run -o yaml | \
kubeseal --controller-namespace=sealed-secrets -o yaml > sealed-secrets.yaml
Then the generated file sealed-secrets.yaml
can be deploy with kubectl apply -f sealed-secrets.yaml
and a secret called test-secret will be created. Now feel free to check-in sealed-secrets.yaml
into a public GitHub repository!
🙂