How to use kubernetes sealed secrets with helm templates

Question

I just came across the sealed secrets tool https://github.com/bitnami-labs/sealed-secrets for encrypting secrets in kubernetes with added benefits of being able to commit those to git

I am a bit disappointed that such a great tool did not address helm templates by default or as part of the official documentation. I mean for a tool like that, i am not sure if the developers thought of the different ways people use secrets in which helm charts is a great way where we use values template files for different environment.

Anyways here is my setup

secrets.yaml

---
apiVersion: v1
kind: Secret
metadata:
  name: demo-app
type: Opaque
data:
  ENV1: "{{ .Values.ENV1 | b64enc }}"
  ENV2: "{{ .Values.ENV2 | b64enc }}"
  ENV3: "{{ .Values.ENV3 | b64enc }}"

here are the values template files for DEV and PROD for example

values-dev.yaml

demo-app:
  name: demo-app
  replicaCount: 1
  image:
    repository: example/demo-app
    tag: latest
    pullPolicy: Always


# secrets
ENV1: 'dev_4rlmerl4om3o'
ENV2: 'dev_eom4om4odl4o'
ENV3: 'dev_38hdineoij4oj3onod4ncen3eiixnknnkejnslrmnomntrcoenkc'

values-prod.yaml

demo-app:
  name: demo-app
  replicaCount: 1
  image:
    repository: example/demo-app
    tag: 1.0.0
    pullPolicy: Always


# secrets
ENV1: 'prod_4rlmerl4om3o'
ENV2: 'prod_eom4om4odl4o'
ENV3: 'prod_38hdineoij4oj3onod4ncen3eiixnknnkejnslrmnomntrcoenkc'

Here is how i deploy the application

DEV

helm upgrade --install demo-app-dev --namespace team1 -f values-dev.yaml .

PROD

helm upgrade --install demo-app-prod --namespace team1 -f values-prod.yaml .

I am trying to use sealed secrets with this scenario but not able to figure out how to without changing my whole structure completely.

I wrote a small python wrapper to handle it, generate multiple secrets from multiple certificates, and store values inside value_{ENV}.yaml files, I cant open-source it :/ but you get the idea — Thomas Decaux, May 05 '22 at 14:17

score 0 · Answer 1 · edited Jan 19 '22 at 07:54

0

you can generate the values_{ENV}.yaml dynamically rather than maintaining it, and then you can delete after the deployments. This way, the next CI/CD build will generate the same for different apps.

edited Jan 19 '22 at 07:54

Jeremy Caney

7,102
69
48
77

answered Jan 19 '22 at 03:28

Anand Badiger

1

1

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jan 19 '22 at 07:36
1

Can you [edit] your answer to offer an explanation of _how_ this can be dynamically generated? – Jeremy Caney Jan 19 '22 at 08:11

score 0 · Answer 2 · answered Jan 19 '22 at 04:27

If you want to use sealed secret with helm, you need to update the helm chart and create one new YAML template

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: mysecret
  namespace: mynamespace
spec:
  encryptedData:
    foo: "{{ .Values.ENV1 }}"

so the template will create the sealed secret from values.yaml and K8s secret will get auto-created as mentioned in the documentation of the sealed secrets.

For a different environment, you can generate the values_{ENV}.yaml file. use it as you are doing now with values-dev.yaml and values-prod.yaml

https://github.com/bitnami-labs/sealed-secrets#overview

How to use kubernetes sealed secrets with helm templates

2 Answers2

Linked