Apricate.dev

Installing and Testing Sealed Secrets on a k8s Cluster Using Terraform

Introduction

In a Kubernetes environment, secrets are often used to store sensitive information like passwords, API keys, and certificates. However, these secrets are stored in plain text within the cluster, making them vulnerable to attacks. To secure this sensitive information, Sealed Secrets provides a way to encrypt secrets before they are stored in the cluster, ensuring they remain safe even if the cluster is compromised.

In this article, we’ll walk through creating a Terraform module that installs Sealed Secrets into an existing kubernetes cluster. We’ll also cover how to test the installation to ensure everything is functioning as expected.

Prerequisites

Before diving in, ensure you have the following:

  • An existing k8s cluster.
  • Terraform installed on your local machine.
  • kubectl configured to interact with your k8s cluster.
  • helm installed for managing Kubernetes packages.

Creating the Terraform Module

First, we need to create a Terraform module that will install Sealed Secrets using Helm. This module will be reusable, allowing you to deploy Sealed Secrets into any kubernetes cluster.

Directory Structure

Create a directory for your Terraform module with the following structure:

sealed-secrets/
│
├── main.tf
├── variables.tf
├── outputs.tf
├── README.md

main.tf

The main.tf file is where the core logic of the module resides. It includes a Helm release resource to install Sealed Secrets and a Kubernetes namespace resource to ensure the namespace exists before deployment.

resource "helm_release" "sealed_secrets" {
  name       = "sealed-secrets"
  repository = "https://bitnami-labs.github.io/sealed-secrets"
  chart      = "sealed-secrets"
  version    = var.sealed_secrets_version
  namespace  = var.sealed_secrets_namespace

  values = [
    templatefile("${path.module}/values.yaml.tpl", {
      install_crds = var.install_crds
    })
  ]

  depends_on = [kubernetes_namespace.sealed_secrets]
}

resource "kubernetes_namespace" "sealed_secrets" {
  metadata {
    name = var.sealed_secrets_namespace
  }
}

output "sealed_secrets_status" {
  value = helm_release.sealed_secrets.status
}

variables.tf

The variables.tf file defines all the variables that the module will use. This includes variables for Kubernetes cluster details and Helm chart configuration.

variable "sealed_secrets_version" {
  description = "The Sealed Secrets Helm chart version"
  type        = string
  default     = "2.7.2"  # Update to the latest version as needed
}

variable "sealed_secrets_namespace" {
  description = "The namespace where Sealed Secrets will be installed"
  type        = string
  default     = "sealed-secrets"
}

variable "install_crds" {
  description = "Whether to install the Sealed Secrets Custom Resource Definitions (CRDs)"
  type        = bool
  default     = true
}

outputs.tf

The outputs.tf file provides the status of the Helm release, which can be useful for debugging or for integration with other Terraform configurations.

output "sealed_secrets_status" {
  description = "The status of the Sealed Secrets Helm release"
  value       = helm_release.sealed_secrets.status
}

values.yaml.tpl

The values.yaml.tpl file is a template for customizing the Helm chart values. It allows you to dynamically set Helm values using the input variables defined in variables.tf.

installCRDs: ${install_crds}

Deploying Sealed Secrets with Terraform

Now that the module is created, you can use it in your Terraform configuration to install Sealed Secrets into your kubernetes cluster.

  1. Initialize Terraform: In your main Terraform configuration directory, run:
   terraform init
  1. Apply the Configuration: Apply the configuration to deploy Sealed Secrets:
   terraform apply

Terraform will prompt you to confirm the changes. Type yes to proceed.

After the deployment, Terraform will output the status of the Sealed Secrets Helm release, indicating whether it was successfully deployed.

Testing the Installation

To verify that Sealed Secrets is installed and functioning correctly, follow these steps:

1. Check the Sealed Secrets Controller Pod

Ensure that the Sealed Secrets controller pod is running in the sealed-secrets namespace.

kubectl get pods -n sealed-secrets

You should see a pod named something like sealed-secrets-controller-xxxx in the Running state.

2. Check the Custom Resource Definitions (CRDs)

If you enabled the installation of CRDs, check that they are correctly installed:

kubectl get crds | grep sealedsecrets

This command should return:

sealedsecrets.bitnami.com

3. Test Sealing and Unsealing a Secret

To ensure that Sealed Secrets is functioning as expected, create and seal a test secret, then unseal it.

  1. Create a test Secret:
   kubectl create secret generic mysecret --from-literal=secretkey=mysecretvalue -n sealed-secrets
  1. Encrypt the Secret using Sealed Secrets: Use the kubeseal CLI tool to encrypt the secret.
   kubectl get secret mysecret -n sealed-secrets -o yaml \
     | kubeseal \
     --controller-name=sealed-secrets-controller \
     --controller-namespace=sealed-secrets \
     --format=yaml > mysealedsecret.yaml
  1. Delete the original Secret:
   kubectl delete secret mysecret -n sealed-secrets
  1. Apply the Sealed Secret:
   kubectl apply -f mysealedsecret.yaml -n sealed-secrets
  1. Verify that the Secret was unsealed:
   kubectl get secret mysecret -n sealed-secrets -o yaml

This command should display the unsealed secret, confirming that Sealed Secrets is working correctly.

Conclusion

In this article, we walked through the process of creating a Terraform module to install Sealed Secrets into a kubernetes cluster. We also covered how to test the installation to ensure that Sealed Secrets is properly configured and operational.

By using this Terraform module, you can easily and securely manage your Kubernetes secrets, ensuring that sensitive information is protected within your cluster.

Bohdan

, ,
, , , , ,