Objective
This guide demonstrates encrypting Kubernetes secrets with Sealed Secrets, using a PostgreSQL connection string as an example, and setting up a local Traefik TLS secret with mkcert.
Prerequisites
- KIND
- cloud-provider-kind
- Sealed Secrets
- kubectl
- Helm
- Traefik
- mkcert
- .NET 6
Installing Sealed Secrets
- Sealed Secrets controller (Cluster-Side Controller)
# by Helm
helm repo add sealed-secrets
https://bitnami-labs.github.io/sealed-secrets
helm install sealed-secrets -n kube-system
--set-string fullnameOverride=sealed-secrets-controller
sealed-secrets/sealed-secrets
- kubeseal (client-side utility)
go install
github.com/bitnami-labs/sealed-secrets/cmd/kubeseal@main
Creating the sealed secret with Sealed Secrets
- Create the Kubernetes secret
kubectl create secret generic ms-dev-secret
--dry-run=client -o yaml > appsettings-secret.Development.yaml
--from-literal=pg-cluster='Host=your_host_ip;Port=5432;Database=your_database;Username=your_username;Password=your_password'
pg-cluster is the name of the key in the secret.
ms-dev-secret is the name of the secret.
- Create the sealed secret from the secret
kubeseal --scope cluster-wide
< appsettings-secret.Development.yaml -o yaml
> appsettings-sealed-secret.Development.yaml
appsettings-sealed-secret.Development.yaml is the sealed secret.
–scope
- How to decrypt the sealed secret to the secret
# First, find the sealed secret controller
# Running kubectl get secrets -A will show secrets starting with sealed-secrets-
# For example, sealed-secrets-abc
kubectl get secrets -A
# Secondly, get the private key "sealed-secret-key.pem"
kubectl get secret -n kube-system sealed-secrets-abc
-o jsonpath='{.data.tls.key}' | base64 --decode
> sealed-secret-key.pem
# Finally, decrypt the sealed secret "appsettings-sealed-secret.Development.yaml"
# to the secret "appsettings-secret.Development.yaml"
kubeseal --recovery-unseal
--recovery-private-key sealed-secret-key.pem
< appsettings-sealed-secret.Development.yaml
-o yaml > appsettings-secret.Development.yaml
# memo: decode base64 string
echo [base64_string] | base64 --decode
Running cloud-provider-kind
# Run As administrator
cloud-provider-kind
Setting up mkcert
- Install the cert/key
# on Windows, I used choco
choco install mkcert
mkcert -install
mkcert localhost 127.0.0.1
localhost.pem is the mkcert cert
localhost-key.pem is the mkcert key
Creating the Kubernetes tls secret for Traefik
kubectl create secret tls localhost-tls-secret
--cert=localhost.pem
--key=localhost-key.pem
--namespace=default
localhost-tls-secret is the tls secret for Traefik
- Remove mkcert cert/key
mkcert -uninstall
rm -rf "$(mkcert -CAROOT)"
Configuring Traefik with TLS
- Deploy Traefik
helm install -f traefik-values-localhost.yaml
traefik traefik/traefik
- Update localhost tls from external ip of Traefik
mkcert localhost 127.0.0.1 172.19.0.6
172.19.0.6 is the Traefik external ip given by cloud-provider-kind
remember to rename new key and new cert as “localhost.pem” and “localhost-key.pem”
- traefik-values-localhost.yaml
ports:
web:
redirectTo:
port: websecure
tlsStore:
default:
defaultCertificate:
secretName: localhost-tls-secret
Deploying the .NET 6 App with Sealed Secrets
# deploy sealed secret first
kubectl apply -f appsettings-sealed-secret.Development.yaml
# deploy the app
kubectl apply -f deploy.yaml
- appsettings-sealed-secret.Development.yaml
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
annotations:
sealedsecrets.bitnami.com/cluster-wide: "true"
creationTimestamp: null
name: ms-dev-secret
namespace: default
spec:
encryptedData:
pg-cluster: AgAjyf765/UaOa80g1Z+30zEQ4Sgu5uLU+9EwKEQ5yiZC+8lczxJERGpq1oMmzdL2jLe9sYT7jREGynPDcczX8Y5tU+ZH4ADiuUgbgjpOCrfOXT68AF2LEMu6JFhu3bqMhLbYL1yUMTxQmf6YP/kvPxZ3kTyWaiQfOuTTwgKwGRT50mOrbYJaMMJxH6HMe4V8kPQ6qbpg9FSU1S6DzHCI+pf0HKg8cuCLUjxOXNL7Bc7X+PqGG3nP/BlF4WVaGvYpVCxC/4IakPZIwSI5mUWRpSabFl1f+rP2OmuEuChm3l9XzYTZyXUAu8f9c/jR4FmnK4DVv0MOMeVhsSFf/eS64l2HC6/evKscL2AIvw2HWX/bpTJeeNfA0neSqNYn4zMMTs2nSFsQTh0Qd5XE/zdprYY74B6UlbcNZHiOAeKiHlo8bL44ulCcZBTWviBejd7dB/ot07l0lfo0aa1F2O/WKT6/gdGNnxULx7weZbwDKjb970OmtJpmS4HKiwf3vnlOoF6tGsPzd7Bj3mXEFnMPFKdnZ/nwsKc8+lVRFBQ5CaWZziXD5T5uOQB/lSUFoY7miCpGEM49INUbfPpZKZd4aW1ZPFJ1bszlkBL2F7gkl3i+vVtqFHqv3DIF5RG/Vk537dppLEsjA3qK0vGjJJzYTCBppyij86PRcI7EjGeDd63YTuHP59U/RKOfCfLdEntuABjWN124N3rpmQB60Tdr84AWVmQG8SUD1dBSii6cGtqNVN8iLqZqAn1cfGQhV0nG56Ciyd+/hTAVIxTAGqvKMXO/OJWTuzZ9X8p0Ry5WgYDWMgwV+Du7gUJ6Bb+kq2TTTOXGKiUXKFu3wl0vj2WpBmZiYV10DNb9k2jlSVx6JA=
template:
metadata:
annotations:
sealedsecrets.bitnami.com/cluster-wide: "true"
creationTimestamp: null
name: ms-dev-secret
namespace: default
- deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ms
labels:
app: ms
spec:
replicas: 1
selector:
matchLabels:
app: ms
template:
metadata:
labels:
app: ms
spec:
containers:
- name: ms-app
image: ghcr.io/tingwei628/ms/ms:latest
ports:
- containerPort: 10001
env:
- name: DOTNET_ENVIRONMENT
value: Development
- name: ConnectionStrings__PgCluster
valueFrom:
secretKeyRef:
name: ms-dev-secret
key: pg-cluster
- name: ASPNETCORE_URLS
value: http://+:10001
livenessProbe:
httpGet:
path: /health
port: 10001
initialDelaySeconds: 10
periodSeconds: 5
readinessProbe:
httpGet:
path: /health
port: 10001
initialDelaySeconds: 5
periodSeconds: 5
---
apiVersion: v1
kind: Service
metadata:
name: ms-service
labels:
app: ms
spec:
selector:
app: ms
ports:
- port: 10001
targetPort: 10001
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ms-ingress
namespace: default
labels:
app: ms
spec:
entryPoints:
- websecure
routes:
- match: Host(`172.19.0.6`) && PathPrefix(`/ms`)
kind: Rule
middlewares:
- name: strip-ms-prefix
services:
- name: ms-service
port: 10001
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-ms-prefix
labels:
app: ms
spec:
stripPrefix:
prefixes:
- /ms
port = 10001 (whatever you want)
ConnectionStrings__PgCluster is from the key “pg-cluster” in the secret “ms-dev-secret”
Testing
Done!