4

So I have this manifest in my project:

apiVersion: v1
kind: Secret
metadata:
  name: cambiotoday-secret-key
  namespace: default
type: Opaque
stringData:
  ct-key: <my_third_party_service_key>
---

# The rest of it, deployment and service.
...

And I'm trying to look for a way where I can push this manifest into my git repository but without publishing the actual key in it.

I'm using Skaffold to build my kubernetes application.

According to the K8S documentation:

If your application uses the following configuration file:

apiUrl: "https://my.api.com/api/v1"
username: "user"
password: "password"

You could store this in a Secret using the following:

apiVersion: v1
kind: Secret
metadata:
 name: mysecret
type: Opaque
stringData:
  config.yaml: |-
    apiUrl: "https://my.api.com/api/v1"
    username: {{username}}
    password: {{password}}

Your deployment tool could then replace the {{username}} and {{password}} template variables before running kubectl apply.

What deployment tools? That looks like exactly what I need but I don't know how to set it up.

RottenCheese
  • 869
  • 2
  • 12
  • 18
  • 1
    Through GIT you can ignore files which you want not to be pushed in .gitignore file – Raman Sharma Dec 05 '19 at 21:29
  • Yes, I know that. I'd add that configuration file into my .gitignore so it doesn't get pushed into the remote repository. What I'm trying to achieve is that decoupling. How do I tell kubectl (or Skaffold or whatever): "Yo, change these variables in the manifest before submitting the changes to the cluster." – RottenCheese Dec 05 '19 at 21:36

4 Answers4

3

Have a look at sealed-secrets, it allows you to put an encrypted version of your secrets in Git.

As for deployment tools that allow you to template your YAML, have a look at Helm, Kustomize or many of the other similar tools. If that doesn't work for you, a little bit of scripting should get your there as well.

Niels Slot
  • 86
  • 2
2

There are some popular techniques to do this task:

  1. Sealed-secrets: Check here You can actually encrypt your complete secret YAML into the sealed secret that will decrypt again at the Kubernetes cluster level using tool kubeseal. And you can commit sealed secret in git or any SCM.

    It also has lot other features for better security such as Secret Rotation, Early key renewal (in case of compromise)

  2. Vault : Check here This tool is available in the community as well as an enterprise edition. It included a lot of other features.

  3. Kamus : Check here

and other tools.

if your requirement is not that large, a Sealed Secrets would work for you.

  • Usage of Sealed Secret:
# Create a json/yaml-encoded Secret somehow:
# (note use of `--dry-run` - this is just a local file!)
$ echo -n bar | kubectl create secret generic mysecret --dry-run --from-file=foo=/dev/stdin -o json >mysecret.json

# This is the important bit:
$ kubeseal <mysecret.json >mysealedsecret.json

# mysealedsecret.json is safe to upload to github, post to twitter,
# etc.  Eventually:
$ kubectl create -f mysealedsecret.json

# Profit!
$ kubectl get secret mysecret

This way your secret is deployed. And you stored the encrypted JSON in git.

Community
  • 1
  • 1
Umesh Kumhar
  • 766
  • 6
  • 14
0

I think a pretty neat way is to store your credentials (username/ password/ secretkeys etc) in a vault such as lastpass, which comes with a CLI and works really well with k8s. It also makes it easy to manage shared credentials in a team :) https://engineering.upside.com/synchronizing-kubernetes-secrets-with-lastpass-584d564ba176

julian
  • 451
  • 2
  • 8
0

You can keep the encrypted PWD in secrets.yaml and push it in GIT. https://github.com/mozilla/sops Encryption-related master key can be ranging from AWS KMS , Azure KMS , GCP KMS and so on. This can help you to deploy inside the appropriate cloud provider at ease.

Raj Rajen
  • 203
  • 2
  • 17