Add Sealed Secrets installation guide and usage example (rackerlabs#152)

pratik705 · web-flow · commit 1635ade80648 · 2024-03-21T14:24:37.000-05:00
Added installation instructions for Sealed Secrets using Kustomize
along with example
diff --git a/.github/workflows/kustomize-sealed-secrets.yaml b/.github/workflows/kustomize-sealed-secrets.yaml
@@ -0,0 +1,37 @@
+name: Kustomize GitHub Actions for sealed-secrets
+
+on:
+  pull_request:
+    paths:
+      - kustomize/sealed-secrets/**
+      - .github/workflows/kustomize-sealed-secrets.yaml
+jobs:
+  kustomize:
+    strategy:
+      matrix:
+        overlays:
+          - base
+    name: Kustomize
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: azure/setup-helm@v3
+        with:
+          version: latest
+          token: "${{ secrets.GITHUB_TOKEN }}"
+        id: helm
+      - name: Kustomize Install
+        working-directory: /usr/local/bin/
+        run: |
+          if [ ! -f /usr/local/bin/kustomize ]; then
+            curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | sudo bash
+          fi
+      - name: Run Kustomize Build
+        run: |
+          kustomize build kustomize/sealed-secrets/${{ matrix.overlays }} --enable-helm --helm-command ${{ steps.helm.outputs.helm-path }} > /tmp/rendered.yaml
+      - name: Return Kustomize Build
+        uses: actions/upload-artifact@v2
+        with:
+          name: kustomize-sealed-secrets-artifact-${{ matrix.overlays }}
+          path: /tmp/rendered.yaml
diff --git a/docs/sealed-secrets.md b/docs/sealed-secrets.md
@@ -0,0 +1,76 @@
+# Sealed Secrets Introduction and Installation Guide
+
+
+Sealed Secrets is a Kubernetes-native solution for securely storing and managing sensitive information within Kubernetes Secrets. It ensures secure secret management by encrypting Kubernetes Secrets and storing them as SealedSecret resources, which can only be decrypted by the cluster itself.
+
+Sealed Secrets utilizes public-key cryptography to encrypt secrets, enabling safe storage in your version control system.
+
+
+## Installation
+
+``` shell
+cd kustomize/sealed-secrets/base
+```
+
+- Modify the `values.yaml` file with your desired configurations. Refer to the sample configuration in this directory, already updated for installation.
+
+``` shell
+vi values.yaml
+```
+
+- Perform the installation:
+
+``` shell
+kubectl  kustomize . --enable-helm | kubectl apply -f -
+```
+
+!!! note
+    Ensure to take a backup of the `sealed-secrets-keyxxxx` Kubernetes Secret from the sealed-secrets namespace, as it will be required for the restoration process if needed.
+
+```
+kubectl get secret -n sealed-secrets -l sealedsecrets.bitnami.com/sealed-secrets-key=active -o yaml  > sealed-secrets-key.yaml
+```
+
+## Usage Example:
+In this example, we will use Sealed Secrets to encrypt a Grafana certificate from Kubernetes Secret yaml file.
+
+### Encrypting Kubernetes Secret:
+- Kubernetes Secret yaml file containing Grafana certificate:
+```
+# cat grafana-cert.yaml
+apiVersion: v1
+data:
+  ca.crt:
+    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjVENDQVJhZ0F3SUJBZ0lRYjBYbHp2d3JIWTd0MjNBREJ5Y2NnekFLQmdncWhrak9QUVFEQWpBWU1SWXcKRkFZRFZRUURFdzF5WVdOcmMzQmhZMlV1WTI5dE1CNFhEVEkwTURJeU5ERXdOVFExT0ZvWERUTTBNREl5TVRFdwpOVFExT0Zvd0dERVdNQlFHQTFVRUF4TU5jbUZqYTNOd1lXTmxMbU52YlRCWk1CTUdCeXFHU000OUFnRUdDQ3FHClNNNDlBd0VIQTBJQUJPd0owMU1ZTWw4MUNyV1dMODlQQkhvVG5telZCT2xRMkdMMDFTd2JjYXZQVmRCWnVHamIKeFlwR3VKVDd1UG5xdVp4eFZ4djhUSFlPcVVVL1ZYT2ZtdkNqUWpCQU1BNEdBMVVkRHdFQi93UUVBd0lDcERBUApCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCUU5weXZnNk1CSWFnZENuOVR1ejZ3SkZDMVIvekFLCkJnZ3Foa2pPUFFRREFnTkpBREJHQWlFQTY5T25ScUZ5SHZQbjJkWFZ6YjBTVFRZY2UxUUZGUEphWXFVYnQrc2kKdG13Q0lRRDE2ODV0UDBKcnZRRnB6NVlPNFdYQ2xEQWxabTgxUWRwN1lWY0FJS1RhbWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  tls.crt:
+    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNUVENDQWZLZ0F3SUJBZ0lSQUxieTRuVUJoTWlvYkVTS01yVmwrbEl3Q2dZSUtvWkl6ajBFQXdJd0dERVcKTUJRR0ExVUVBeE1OY21GamEzTndZV05sTG1OdmJUQWVGdzB5TkRBek1UVXhNakk0TUROYUZ3MHlPVEF6TVRReApNakk0TUROYU1BQXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEUStvcVhlUVZWCmRSWkFWclM2ekZwMDlONXpDWUJRcS9HRjNNS1NyWnNkK3VNVlFXakIwcXlJcWJRdm9kL0N0NFhMdWx3a3UyWkIKQlg1MFN4NHJMVGhKQ3ExY2VIQ3lnRUZRa1gyekl6dlBkaCtTcFhWUnhMdzhHZW1ramZ5R3VXeVdydkVEa1cxKwpaM0dYOFc0ZzRZVkwyUEhSLzBIOWxSaVVhK2lYMmM0ZkJhVWoyTUQ3bkF6eWRKaEpneU5rQVZqUHFkRGpGay90CmdIS3pDTGhRTjd0d083ZzluU1UwdTJ1aWI4Z0FZeng0aHl1SWtwR3dCL3JNQkFWb0pxV3Y5eFFkVWd2S2w4a0EKbDFydngwaFlveWZETUprWVQ3SkFYZExEWTJRTUNyY0Y3d0poQUMzYThhYXJqRlUwWXFiQ0Z4TCtvRGw3OGxDbwp2akt2NG0wUmliU1ZBZ01CQUFHamFqQm9NQTRHQTFVZER3RUIvd1FFQXdJRm9EQU1CZ05WSFJNQkFmOEVBakFBCk1COEdBMVVkSXdRWU1CYUFGQTJuSytEb3dFaHFCMEtmMU83UHJBa1VMVkgvTUNjR0ExVWRFUUVCL3dRZE1CdUMKR1dkeVlXWmhibUV0YkdGaUxtUmxiVzh1YldzNGN5NXVaWFF3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQU9lRwp4d1l0S1ZUTjVMcmpwbGR6YlVOLzQ3NnFqM0t4NXdZcGlCL0VaalY5QWlFQXRHU3ZJZlJ2R0JGY1lqaWRyNFl1Ckw1S0Rwd21rZkt0eFhuNi9xamF0eG1jPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  tls.key:
+    LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBMFBxS2wza0ZWWFVXUUZhMHVzeGFkUFRlY3dtQVVLdnhoZHpDa3EyYkhmcmpGVUZvCndkS3NpS20wTDZIZndyZUZ5N3BjSkx0bVFRVitkRXNlS3kwNFNRcXRYSGh3c29CQlVKRjlzeU03ejNZZmtxVjEKVWNTOFBCbnBwSTM4aHJsc2xxN3hBNUZ0Zm1keGwvRnVJT0dGUzlqeDBmOUIvWlVZbEd2b2w5bk9Id1dsSTlqQQorNXdNOG5TWVNZTWpaQUZZejZuUTR4WlA3WUJ5c3dpNFVEZTdjRHU0UFowbE5MdHJvbS9JQUdNOGVJY3JpSktSCnNBZjZ6QVFGYUNhbHIvY1VIVklMeXBmSkFKZGE3OGRJV0tNbnd6Q1pHRSt5UUYzU3cyTmtEQXEzQmU4Q1lRQXQKMnZHbXE0eFZOR0ttd2hjUy9xQTVlL0pRcUw0eXIrSnRFWW0wbFFJREFRQUJBb0lCQVFDR2x0VnJlS1hXdy9Idwp2ZWJuNTNUYW5sb2wvSmlIWERYUTRMenZlcC9NVHlpeEo4OHdCVjdaSlhMR3VwcEI3YkJkNVVneTMvNmJJYzZ2ClZ6RzIzUWpEQWYxazhLeWtTYlhIRGV6RzBvcFNzdURpc1cwOW5GY2UzaEY3eVhZNXpuSUJHZXBmUWVvaTNyeHAKL3pQT09YQi95TmoxUmxCWjRReFRpcXZpSUlSL3RSZmNQcFp2RWFRRHo5RDBwcm5VTG5raXdqZ1FsUVhnWXdITwpFYjRBZTlwaWwzZ3plNnVoeGxOWEc3bE1nYjFoOHZFa0RNOURJK0tqd25tYjF3eEZCSkZEQ2E4dm15ZDZZTThRCnU1bU5JbVc3bmh1bTA3akRid0tXSDgySE5kTWEwT2g4T0RCWENSSkVhMTZ2YXd0NVNCWjJLcVdlbmpaTlUycmwKTzJ2UmRZUUJBb0dCQVAxUzhEeTVWRkVQUHB4RCtLZHJzWGlVcER6Rzl2VGZmS3ZLQ2NBNExpVEJNYTdEdlRNTwpMeFRJaldMekhmZUFPbXBzVngrK3U4S1kzd2txbTBDcWpabzZ3eVpXcWZhZkJ6bUluK3p3Zm9tQmlIazJwZ2tCCjlTdU95VW9Bb0djYSt6TUtyZXpJRjVrc2FaUmlJbERsL2dheWFlVUZyWGhLZUJTbDF0Q3lOVTlOQW9HQkFOTXYKcmkxcllLZkVPeGxOTlpTbVczQzRiZ2RJZlNoRXNYaVcrUkxFYkdqamgwRWN5Vy92SCtrMU5TdU5aZERpUk9BRwpVQmhmT29YSnVYbzJkTlRXdXFuSE9QL2pxUG1tYWRhU3dpejNtUFNqRUppU3hUbFBQMGEyb0Jpa3VTVlAybDFVCkxxa0MrZ1ZEWHhoaXlXUXlKMUNnY0dNb0IyTVI4R0RaZkVXSm9lWnBBb0dCQU9EdjBWUUtPRjFWelFHU3RXdHMKREFVRzc2THNCUU5Bb3dJamYyOElNNmo5UnpGb3EwcDNjTVRpby9EVjhha0FXbDUvWHdsWUluN1RvVkFSWGhRWQpuVzN5ZWJCRVNkMHNMbzBlek9ybVRXV3ArRld4ZWRNTHd2aHZiRHJpdll0d0FOZTh4dDAyZXdYTzB0MG9HbEo5Ck5vZ1p5ai9MUDlKTlJiMEgyT3d0SVhzTkFvR0FNaXRrbEhPcTNaQVhmaFpDZ1ZMWDdEcFVJVFRPVHMrcTNYdjQKSmNZMS91RDJrN2hUL2x4dlYwYUZvQmdTTlFKYjNHQ0RqSmFxMzNlaHNXL1laMnV2b24rcWdkZkNuN1F4OW9DYwowblByaVVwbnVlYzhKVFkzVVFRM21rTWZuTWFRbUpWVUZHQ1pwc0J2aWVxRjcyQ2V5RitrODFsaUQ5NEdIZXZzCnd0UkVldWtDZ1lFQSt1ZExMZllCRitFaDZIVldvT3NXU2lqZCtrTnh4ajhaK2VSMWhOaWxtN1I5RlNkVzJHVEoKY2lvMlIrSDhWU0xudnFjZ29oWXNxZ0N0VXViTnpNbjdlbEt4RkNOOHRaS1lUYnhHcU5IUHJ4WE43M3RQNy83WAp2MWF4UXQvbm5lcDEvaVYzODVBcUZLdGZ6UU9Ua25sdGJBcmxyZzRvRFk4d0NtUmcwTi9aLzJFPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+kind: Secret
+metadata:
+  annotations:
+    cert-manager.io/alt-names: grafana-lab.demo.mk8s.net
+  name: grafana
+  namespace: rackspace-system
+type: kubernetes.io/tls
+```
+- Download [kubeseal](https://github.com/bitnami-labs/sealed-secrets/releases) binary.
+- Use `kubeseal` for the Kuberntes Secret entryption:
+``` shell
+kubeseal --scope cluster-wide --allow-empty-data -o yaml --controller-namespace rackspace-system  < ~/grafana-cert.yaml  > encrypted_grafana-cert.yaml
+cat encrypted_grafana-cert.yaml
+```
+For more options around `kubeseal` please check help page.
+
+- Upload the encrypted Sealed Secret resource(`encrypted_grafana-cert.yaml`) to your version control system. It can only be decrypted using the secret created during the Sealed Secrets installation.
+
+### Deploying Kubernetes Secret from Sealed Secret Resource:
+- Apply sealed-secret resource(`encrypted_grafana-cert.yaml`):
+```shell
+kubectl apply -f encrypted_grafana-cert.yaml
+```
+- Verify that the Sealed Secret has been created and the Kubernetes Secret has been decrypted:
+```shell
+kubectl get sealedsecret/grafana -n rackspace-system
+kubectl get secret grafana -n rackspace-system
+```
diff --git a/kustomize/sealed-secrets/base/kustomization.yaml b/kustomize/sealed-secrets/base/kustomization.yaml
@@ -0,0 +1,12 @@
+resources:
+  - './namespace.yaml'
+namespace: sealed-secrets
+helmGlobals:
+  chartHome: ../charts/
+helmCharts:
+- name: sealed-secrets
+  includeCRDs: true
+  releaseName: sealed-secrets
+  valuesFile: values.yaml
+  version: 2.14.2
+  repo: https://bitnami-labs.github.io/sealed-secrets
diff --git a/kustomize/sealed-secrets/base/namespace.yaml b/kustomize/sealed-secrets/base/namespace.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    kubernetes.io/metadata.name: sealed-secrets
+    name: sealed-secrets
+  name: sealed-secrets
diff --git a/kustomize/sealed-secrets/base/values.yaml b/kustomize/sealed-secrets/base/values.yaml
diff --git a/mkdocs.yml b/mkdocs.yml
