Sealed Secrets is a bitnami Kubernetes operator aimed to one-way encrypt secrets into sealed secrets so that they can be safely checked-in into GitHub or other VCS. It’s rather easy to install and use Sealed Secrets in a Kubernetes cluster on AMD64 architecture, but not so on my Raspberry Pi cluster.
First, the container image for the sealed-secrets-controller wasn’t built for ARM architecture. I managed to build it in my Raspberry Pi 2 with following commands:
git clone https://github.com/bitnami-labs/sealed-secrets.git cd sealed-secrets # golang build tools are needed here make controller.image # you can tag it to your docker registry instead of mine docker tag quay.io/bitnami/sealed-secrets-controller:latest raynix/sealed-secrets-controller-arm:latest docker push raynix/sealed-secrets-controller-arm
The next step is to use kustomize to override the default sealed-secrets deployment schema to use my newly built container image that runs on ARM
# kustomization.yaml
# controller.yaml is from https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.7/controller.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: sealed-secrets
images:
- name: quay.io/bitnami/sealed-secrets-controller
newName: raynix/sealed-secrets-controller-arm
newTag: latest
patchesStrategicMerge:
- patch.yaml
resources:
- controller.yaml
- ns.yaml# ns.yaml # I'd like to install the controller into its own namespace apiVersion: v1 kind: Namespace metadata: name: sealed-secrets
# patch.yaml
# apparently the controller running on Raspberry Pi 4 needs more time to initialize
apiVersion: apps/v1
kind: Deployment
metadata:
name: sealed-secrets-controller
spec:
template:
spec:
containers:
- name: sealed-secrets-controller
readinessProbe:
initialDelaySeconds: 100Then the controller can be deployed with command kubectl apply -k .
The CLI installation is much easier on a Linux laptop. After kubeseal is installed. The public key used to encrypt secrets can be obtained from the controller deployed above. Since I installed the controller in it’s own namespace sealed-secrets instead of the default kube-system the command to encrypt secrets is a bit different:
kubectl create secret generic test-secret --from-literal=username=admin --from-literal=password=password --dry-run -o yaml | \ kubeseal --controller-namespace=sealed-secrets -o yaml > sealed-secrets.yaml
Then the generated file sealed-secrets.yaml can be deploy with kubectl apply -f sealed-secrets.yaml and a secret called test-secret will be created. Now feel free to check-in sealed-secrets.yaml into a public GitHub repository!
🙂