Secret management

This is written the 8 of august 2021

Secret is a Kubernetes object to store a password, a token, or a key. To transfer a secret securely to the cluster Kithosting uses sealed secrets. Sealed secrets are using the public key in an RSA key pair to encrypt the secret. Read more about the encryption here.

Sealed secrets can be deployed through Argo with Helm chart. If the KIT Service Chart is used you can follow these steps.

Install kubeseal. This is done by installing sealed secrets local, see the instructions here. The installations steps are dependent on the OS used.

1. Encrypt the secret

To encrypt the secret run the following command

echo -n mySecret | kubeseal --raw -n namespace --name secretName --cert certUrl

• mySecret - replace with the secret in plain text
• namespace - replace namespace with the K8S namespace the secret is deployed in
• secretName - replace secretName with the name of the secret in Kubernetes
• certUrl - replace certUrl with the URL for the public key for the environment is needed
  • Production: https://sealed-secrets.hosting.kitkube.dk/v1/cert.pem
  • Test: https://sealed-secrets.t0.hosting.kitkube.dk/v1/cert.pem

It is important to set the right namespace and name of the secret, because they are part of the encryption and decryption.

2. Add the secret to the Helm Chart

The output of the command in step one is used when setting the value of the secret in the Helm chart. An example of the values add to the value-test.yaml is shown below. For more details see the documentation of the service Helm Chart.

sealedSecret:
  secretName:
    encryptedData:
      key: AgBOQOoh7RGqTBPPSG0CtbfZD/Wh+Csl/c5HSqTzy2SoRBxh9n...

3. Sealed Secret in Argo

When the sealed secret is added to the Helm Chart it will show up in Argo. When the sealed secret is synced, a Kubernetes secret is created from the sealed secret.