To install the Sealed Secrets operator, all you need to do is download the controller manifest from the latest release at https://github.com/bitnami-labs/sealed-secrets/releases. At the time of writing this book, https://github.com/bitnami-labs/sealed-secrets/ releases/download/v0.23.1/controller.yaml is the latest controller manifest.
Create a new directory called sealed-secrets within the manifest directory and download controller.yaml using the following commands:
$ cd ~/mdo-environments/manifests & mkdir sealed-secrets $ cd sealed-secrets
$ wget https://github.com/bitnami-labs/sealed-secrets\ /releases/download/v0.23.1/controller.yaml
Then, commit and push the changes to the remote repository. After about five minutes, Argo CD will create a new application called sealed-secrets and deploy it. You can visualize this in the Argo CD Web UI as follows:
Figure 12.13 – Argo CD Web UI – Sealed Secrets
In the Kubernetes cluster, sealed-secrets-controller will be visible in the kube-system namespace. Run the following command to check this:
$ kubectl get deployment -n kube-system sealed-secrets-controller
NAME
READY UP-TO-DATE AVAILABLE AGE
sealed-secrets-controller 1/1
1
1
6m4s
As we can see, the controller is running and ready. We can now install the client-side utility – kubeseal.
Installing kubeseal
To install the client-side utility, you can go to https://github.com/bitnami-labs/ sealed-secrets/releases and get the kubeseal installation binary link from that page. The following commands will install kubeseal 0.23.1 on your system:
$ KUBESEAL_VERSION=’0.23.1′
$ wget “https://github.com/bitnami-labs/sealed-secrets/releases/download\ /v${KUBESEAL_VERSION:?}/kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz” $ tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal
$ sudo install -m 755 kubeseal /usr/local/bin/kubeseal $ rm -rf ./kubeseal*
To check whether kubeseal has been installed successfully, run the following command:
$ kubeseal –version
kubeseal version: 0.23.1
Since kubeseal has been installed, let’s go ahead and create a Sealed Secret for the blog-app.
Creating Sealed Secrets
To create a Sealed Secret, we have to define the Kubernetes Secret resource. The mongodb-creds Secret should contain some key-value pairs with the MONGO_INITDB_ROOT_USERNAME key with a value of root and the MONGO_INITDB_ROOT_PASSWORD key with any value you want as the password.
As we don’t want to store the plaintext Secret as a file, we will first create the Kubernetes secret manifest called mongodb-creds using the –dry-run and -o yaml flags and then pipe the output directly to kubeseal to generate the SealedSecret resource using the following command:
$ kubectl create secret generic mongodb-creds \
–dry-run=client -o yaml –namespace=blog-app \
–from-literal=MONGO_INITDB_ROOT_USERNAME=root \
–from-literal=MONGO_INITDB_ROOT_PASSWORD= \
| kubeseal -o yaml > mongodb-creds-sealed.yaml
This generates the mongodb-creds-sealed.yaml Sealed Secret, which looks like this:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: mongodb-creds
namespace: blog-app
spec:
encryptedData:
MONGO_INITDB_ROOT_PASSWORD: AgB+tyskf72M/…
MONGO_INITDB_ROOT_USERNAME: AgA95xKJg8veOy8v/…
template:
metadata:
name: mongodb-creds
namespace: blog-app
As you can see, the Sealed Secret is very similar to the Secret manifest. Still, instead of containing a Base64-encoded secret value, it has encrypted it so that only the Sealed Secrets controller can decrypt it. You can easily check this file into source control. Let’s go ahead and do that. Move the Sealed Secret YAML file to the manifests/blog-app directory using the following command:
$ mkdir -p ~/mdo-environments/manifests/blog-app/
$ mv mongodb-creds-sealed.yaml ~/mdo-environments/manifests/blog-app/
Now that we’ve successfully generated the Sealed Secret and moved it to the manifests/blog-app directory, we’ll set up the rest of our application in the next section.
