Blog

How to Create an ALB Listener with Multiple Path Conditions Using Terraform
When designing modern cloud-native applications, it’s common to host multiple services under a single domain. Application Load Balancers (ALBs) in AWS provide an efficient way to route traffic to different backend services based on URL path conditions. This article will guide you through creating an ALB listener with multiple path-based routing conditions using Terraform, assuming you already have SSL configured.

Prerequisites
- AWS Account: Ensure you have access to an AWS account with the necessary permissions to create and manage ALB, EC2 instances, and other AWS resources.
- Terraform Installed: Terraform should be installed and configured on your machine.
- SSL Certificate: You should already have an SSL certificate set up and associated with your ALB, as this guide focuses on creating path-based routing rules.
Step 1: Set Up Path-Based Target Groups

Before configuring the ALB listener rules, you need to create target groups for the different services that will handle requests based on the URL paths.
```
resource "aws_lb_target_group" "service1_target_group" {
  name     = "service1-tg"
  port     = 80
  protocol = "HTTP"
  vpc_id   = aws_vpc.main_vpc.id
}

resource "aws_lb_target_group" "service2_target_group" {
  name     = "service2-tg"
  port     = 80
  protocol = "HTTP"
  vpc_id   = aws_vpc.main_vpc.id
}
```
In this example, we’ve created two target groups: one for service1 and another for service2. These groups will handle the traffic based on specific URL paths.

Step 2: Create the HTTPS Listener

Since we’re focusing on path-based routing, we’ll configure an HTTPS listener that listens on port 443 and uses the SSL certificate you’ve already set up.
```
resource "aws_lb_listener" "https_listener" {
  load_balancer_arn = aws_lb.my_alb.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-2016-08"
  certificate_arn   = aws_acm_certificate.cert.arn

  default_action {
    type = "fixed-response"
    fixed_response {
      content_type = "text/plain"
      message_body = "404: Not Found"
      status_code  = "404"
    }
  }
}
```
Step 3: Define Path-Based Routing Rules

Now that the HTTPS listener is set up, you can define listener rules that route traffic to different target groups based on URL paths.
```
resource "aws_lb_listener_rule" "path_condition_rule_service1" {
  listener_arn = aws_lb_listener.https_listener.arn
  priority     = 1

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.service1_target_group.arn
  }

  condition {
    path_pattern {
      values = ["/service1/*"]
    }
  }
}

resource "aws_lb_listener_rule" "path_condition_rule_service2" {
  listener_arn = aws_lb_listener.https_listener.arn
  priority     = 2

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.service2_target_group.arn
  }

  condition {
    path_pattern {
      values = ["/service2/*"]
    }
  }
}
```
In this configuration:
- The first rule routes traffic with paths matching /service1/* to service1_target_group.
- The second rule routes traffic with paths matching /service2/* to service2_target_group.
The priority field ensures that Terraform processes these rules in the correct order, with lower numbers being processed first.

Step 4: Apply Your Terraform Configuration

After defining your Terraform configuration, apply the changes to deploy the ALB with path-based routing.
1. Initialize Terraform:
```
   terraform init
```
1. Review the Plan:
```
   terraform plan
```
1. Apply the Configuration:
```
   terraform apply
```
Conclusion

By leveraging path-based routing, you can efficiently manage traffic to different services under a single domain, improving the organization and scalability of your application architecture.

This approach is especially useful in microservices architectures, where different services can be accessed via specific URL paths, all secured under a single SSL certificate. Path-based routing is a powerful tool for ensuring that your ALB efficiently directs traffic to the correct backend services, enhancing both performance and security.
August 30, 2024
Creating an Application Load Balancer (ALB) Listener with Multiple Host Header Conditions Using Terraform
Application Load Balancers (ALBs) play a crucial role in distributing traffic across multiple backend services. They provide the flexibility to route requests based on a variety of conditions, such as path-based or host-based routing. In this article, we’ll walk through how to create an ALB listener with multiple host_header conditions using Terraform.

Prerequisites

Before you begin, ensure that you have the following:
- AWS Account: You’ll need an AWS account with the appropriate permissions to create and manage ALB, EC2, and other related resources.
- Terraform Installed: Make sure you have Terraform installed on your local machine. You can download it from the official website.
- Basic Knowledge of Terraform: Familiarity with Terraform basics, such as providers, resources, and variables, is assumed.
Step 1: Set Up Your Terraform Configuration

Start by creating a new directory for your Terraform configuration files. Inside this directory, create a file named main.tf. This file will contain the Terraform code to create the ALB, listener, and associated conditions.
```
provider "aws" {
  region = "us-west-2" # Replace with your preferred region
}

resource "aws_vpc" "main_vpc" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_subnet" "main_subnet" {
  vpc_id            = aws_vpc.main_vpc.id
  cidr_block        = "10.0.1.0/24"
  availability_zone = "us-west-2a" # Replace with your preferred AZ
}

resource "aws_security_group" "alb_sg" {
  name   = "alb_sg"
  vpc_id = aws_vpc.main_vpc.id

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_lb" "my_alb" {
  name               = "my-alb"
  internal           = false
  load_balancer_type = "application"
  security_groups    = [aws_security_group.alb_sg.id]
  subnets            = [aws_subnet.main_subnet.id]

  enable_deletion_protection = false
}

resource "aws_lb_target_group" "target_group_1" {
  name     = "target-group-1"
  port     = 80
  protocol = "HTTP"
  vpc_id   = aws_vpc.main_vpc.id
}

resource "aws_lb_target_group" "target_group_2" {
  name     = "target-group-2"
  port     = 80
  protocol = "HTTP"
  vpc_id   = aws_vpc.main_vpc.id
}

resource "aws_lb_listener" "alb_listener" {
  load_balancer_arn = aws_lb.my_alb.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "fixed-response"
    fixed_response {
      content_type = "text/plain"
      message_body = "404: No matching host header"
      status_code  = "404"
    }
  }
}

resource "aws_lb_listener_rule" "host_header_rule_1" {
  listener_arn = aws_lb_listener.alb_listener.arn
  priority     = 1

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.target_group_1.arn
  }

  condition {
    host_header {
      values = ["example1.com"]
    }
  }
}

resource "aws_lb_listener_rule" "host_header_rule_2" {
  listener_arn = aws_lb_listener.alb_listener.arn
  priority     = 2

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.target_group_2.arn
  }

  condition {
    host_header {
      values = ["example2.com"]
    }
  }
}
```
Step 2: Define the ALB and Listener

In the main.tf file, we start by defining the ALB and its associated listener. The listener listens for incoming HTTP requests on port 80 and directs the traffic based on the conditions we set.
```
resource "aws_lb_listener" "alb_listener" {
  load_balancer_arn = aws_lb.my_alb.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "fixed-response"
    fixed_response {
      content_type = "text/plain"
      message_body = "404: No matching host header"
      status_code  = "404"
    }
  }
}
```
Step 3: Add Host Header Conditions

Next, we create listener rules that define the host header conditions. These rules will forward traffic to specific target groups based on the Host header in the HTTP request.
```
resource "aws_lb_listener_rule" "host_header_rule_1" {
  listener_arn = aws_lb_listener.alb_listener.arn
  priority     = 1

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.target_group_1.arn
  }

  condition {
    host_header {
      values = ["example1.com"]
    }
  }
}

resource "aws_lb_listener_rule" "host_header_rule_2" {
  listener_arn = aws_lb_listener.alb_listener.arn
  priority     = 2

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.target_group_2.arn
  }

  condition {
    host_header {
      values = ["example2.com"]
    }
  }
}
```
In this example, requests with a Host header of example1.com are routed to target_group_1, while requests with a Host header of example2.com are routed to target_group_2.

Step 4: Deploy the Infrastructure

Once you have defined your Terraform configuration, you can deploy the infrastructure by running the following commands:
1. Initialize Terraform: This command initializes the working directory containing the Terraform configuration files.
```
   terraform init
```
1. Review the Execution Plan: This command creates an execution plan, which lets you see what Terraform will do when you run terraform apply.
```
   terraform plan
```
1. Apply the Configuration: This command applies the changes required to reach the desired state of the configuration.
```
   terraform apply
```
After running terraform apply, Terraform will create the ALB, listener, and listener rules with the specified host header conditions.

Adding SSL to your Application Load Balancer (ALB) in AWS using Terraform involves creating an HTTPS listener, configuring an SSL certificate, and setting up the necessary security group rules. This guide will walk you through the process of adding SSL to the ALB configuration that we created earlier.

Step 1: Obtain an SSL Certificate

Before you can set up SSL on your ALB, you need to have an SSL certificate. You can obtain an SSL certificate using AWS Certificate Manager (ACM). This guide assumes you already have a certificate in ACM, but if not, you can request one via the AWS Management Console or using Terraform.

Here’s an example of how to request a certificate in Terraform:
```
resource "aws_acm_certificate" "cert" {
  domain_name       = "example.com"
  validation_method = "DNS"

  subject_alternative_names = [
    "www.example.com",
  ]

  tags = {
    Name = "example-cert"
  }
}
```
After requesting the certificate, you need to validate it. Once validated, it will be ready for use.

Step 2: Modify the ALB Security Group

To allow HTTPS traffic, you need to update the security group associated with your ALB to allow incoming traffic on port 443.
```
resource "aws_security_group_rule" "allow_https" {
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.alb_sg.id
}
```
Step 3: Add the HTTPS Listener

Now, you can add an HTTPS listener to your ALB. This listener will handle incoming HTTPS requests on port 443 and will forward them to the appropriate target groups based on the same conditions we set up earlier.
```
resource "aws_lb_listener" "https_listener" {
  load_balancer_arn = aws_lb.my_alb.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-2016-08"
  certificate_arn   = aws_acm_certificate.cert.arn

  default_action {
    type = "fixed-response"
    fixed_response {
      content_type = "text/plain"
      message_body = "404: No matching host header"
      status_code  = "404"
    }
  }
}
```
Step 4: Add Host Header Rules for HTTPS

Just as we did with the HTTP listener, we need to create rules for the HTTPS listener to route traffic based on the Host header.
```
resource "aws_lb_listener_rule" "https_host_header_rule_1" {
  listener_arn = aws_lb_listener.https_listener.arn
  priority     = 1

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.target_group_1.arn
  }

  condition {
    host_header {
      values = ["example1.com"]
    }
  }
}

resource "aws_lb_listener_rule" "https_host_header_rule_2" {
  listener_arn = aws_lb_listener.https_listener.arn
  priority     = 2

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.target_group_2.arn
  }

  condition {
    host_header {
      values = ["example2.com"]
    }
  }
}
```
Step 5: Update Terraform and Apply Changes

After adding the HTTPS listener and security group rules, you need to update your Terraform configuration and apply the changes.
1. Initialize Terraform: If you haven’t done so already.
```
   terraform init
```
1. Review the Execution Plan: This command creates an execution plan to review the changes.
```
   terraform plan
```
1. Apply the Configuration: Apply the configuration to create the HTTPS listener and associated resources.
```
   terraform apply
```
Conclusion

We walked through creating an ALB listener with multiple host header conditions using Terraform. This setup allows you to route traffic to different target groups based on the Host header of incoming requests, providing a flexible way to manage multiple applications or services behind a single ALB.

By following these steps, you have successfully added SSL to your AWS ALB using Terraform. The HTTPS listener is now configured to handle secure traffic on port 443, routing it to the appropriate target groups based on the Host header.

This setup not only ensures that your application traffic is encrypted but also maintains the flexibility of routing based on different host headers. This is crucial for securing web applications and complying with modern web security standards.
August 30, 2024
How to Create a New AWS Account: A Step-by-Step Guide
Amazon Web Services (AWS) is a leading cloud service provider, offering a wide array of services from computing power to storage options. Whether you’re an individual developer, a startup, or an enterprise, setting up a new AWS account is the first step toward leveraging the power of cloud computing. This article will guide you through the process of creating a new AWS account, ensuring that you can start using AWS services quickly and securely.

Why Create an AWS Account?

Creating an AWS account gives you access to a wide range of cloud services, including computing, storage, databases, analytics, machine learning, networking, mobile, developer tools, and more. With an AWS account, you can:
- Experiment with the Free Tier: AWS offers a free tier with limited access to various services, perfect for learning and testing.
- Scale Your Infrastructure: As your needs grow, AWS provides scalable solutions that can expand with your business.
- Enhance Security: AWS provides industry-leading security features to protect your data and applications.
Step 1: Visit the AWS Sign-Up Page

The first step in creating an AWS account is to visit the AWS Sign-Up Page. Once there, you’ll see the “Create an AWS Account” button prominently displayed. Click on this button to begin the process.

Step 2: Enter Your Account Information

You’ll need to provide some basic information to set up your account:
- Email Address: Enter a valid email address that will be associated with your AWS account. This email will be your root user account email, which has full access to all AWS services and resources.
- Password: Choose a strong password for your account. This password will be used in conjunction with your email address to sign in.
- AWS Account Name: Enter a name for your AWS account. This name will help you identify your account, especially if you manage multiple AWS accounts.
Once you’ve filled in these details, click “Continue.”

Step 3: Choose an AWS Plan

AWS offers several plans based on your needs:
- Basic (Free): Ideal for individuals and small businesses. The free tier includes limited usage of many AWS services for 12 months.
- Developer: Provides support for non-production environments.
- Business: Offers enhanced support for production workloads.
- Enterprise: Designed for large organizations with mission-critical workloads.
Choose the plan that best suits your needs, then click “Next.”

Step 4: Enter Payment Information

Even if you only plan to use the AWS Free Tier, you’ll need to provide valid payment information. AWS requires a credit or debit card to ensure the account is legitimate and to charge for any usage that exceeds the Free Tier limits.
- Credit/Debit Card: Enter your card details, including the card number, expiration date, and billing address.
- Payment Verification: AWS may authorize a small charge to verify the card, which will be refunded.
After entering your payment information, click “Next.”

Step 5: Verify Your Identity

To complete the account setup, AWS will verify your identity:
- Phone Number: Enter a phone number where you can receive a verification call or SMS.
- Verification Process: AWS will send you a code via SMS or automated phone call. Enter this code to verify your identity.
Once verified, click “Continue.”

Step 6: Select a Support Plan

AWS offers several support plans, each with different levels of assistance:
- Basic Support: Free for all AWS customers, providing access to customer service and AWS documentation.
- Developer Support: Includes technical support during business hours and general architectural guidance.
- Business Support: Offers 24/7 access to AWS support engineers, plus guidance for using AWS services.
- Enterprise Support: Provides a dedicated Technical Account Manager (TAM) and 24/7 support for mission-critical applications.
Choose the support plan that meets your needs and click “Next.”

Step 7: Sign In to Your New AWS Account

Congratulations! Your AWS account is now created. You can sign in to the AWS Management Console using the email and password you provided during setup. From here, you can explore the AWS services available to you and start building your cloud infrastructure.

Step 8: (Optional) Enable Multi-Factor Authentication (MFA)

To enhance the security of your AWS account, it’s highly recommended to enable Multi-Factor Authentication (MFA). MFA adds an extra layer of security by requiring a second form of verification (e.g., a one-time code sent to your mobile device) when signing in.
- Enable MFA: In the AWS Management Console, go to IAM > Users > Security credentials, and click on “Activate MFA” to set it up.
Conclusion

Creating a new AWS account is a straightforward process that opens up a world of possibilities in cloud computing. By following the steps outlined in this guide, you’ll be well on your way to harnessing the power of AWS for your projects. Whether you’re looking to build a simple application or scale a complex enterprise solution, AWS provides the tools and services to support your journey.

Remember to explore the Free Tier, enable security features like MFA, and choose the right support plan to meet your needs. Happy cloud computing!
August 29, 2024
Where is the Kubeconfig File Stored?
The kubeconfig file, which is used by kubectl to configure access to Kubernetes clusters, is typically stored in a default location on your system. The default path for the kubeconfig file is:
- Linux and macOS: ~/.kube/config
- Windows: %USERPROFILE%\.kube\config
The ~/.kube/config file contains configuration details such as clusters, users, and contexts, which kubectl uses to interact with different Kubernetes clusters.

How to Edit the Kubeconfig File

There are several ways to edit your kubeconfig file, depending on what you need to change. Below are the methods you can use:

1. Editing Kubeconfig Directly with a Text Editor

Since kubeconfig is just a YAML file, you can open and edit it directly using any text editor:
- Linux/MacOS:
```
  nano ~/.kube/config
```
or
```
  vim ~/.kube/config
```
- Windows:
  Open the file with a text editor like Notepad:
```
  notepad %USERPROFILE%\.kube\config
```
When editing the file directly, you can add, modify, or remove clusters, users, and contexts. Be careful when editing YAML files; ensure the syntax and indentation are correct to avoid configuration issues.

2. Using kubectl config Commands

You can use kubectl config commands to modify the kubeconfig file without manually editing the YAML. Here are some common tasks:
- Set a New Current Context:
```
  kubectl config use-context <context-name>
```
This command sets the current context to the specified one, which will be used by default for all kubectl operations.
- Add a New Cluster:
```
  kubectl config set-cluster <cluster-name> --server=<server-url> --certificate-authority=<path-to-ca-cert>
```
Replace <cluster-name>, <server-url>, and <path-to-ca-cert> with your cluster’s details.
- Add a New User:
```
  kubectl config set-credentials <user-name> --client-certificate=<path-to-cert> --client-key=<path-to-key>
```
Replace <user-name>, <path-to-cert>, and <path-to-key> with your user details.
- Add or Modify a Context:
```
  kubectl config set-context <context-name> --cluster=<cluster-name> --user=<user-name> --namespace=<namespace>
```
Replace <context-name>, <cluster-name>, <user-name>, and <namespace> with the appropriate values.
- Delete a Context:
```
  kubectl config delete-context <context-name>
```
This command removes the specified context from your kubeconfig file.

3. Merging Kubeconfig Files

If you work with multiple Kubernetes clusters and have separate kubeconfig files for each, you can merge them into a single file:
- Merge Kubeconfig Files:
```
  KUBECONFIG=~/.kube/config:/path/to/another/kubeconfig kubectl config view --merge --flatten > ~/.kube/merged-config
  mv ~/.kube/merged-config ~/.kube/config
```
This command merges multiple kubeconfig files and outputs the result to ~/.kube/merged-config, which you can then move to replace your original kubeconfig.

Conclusion

The kubeconfig file is a critical component for interacting with Kubernetes clusters using kubectl. It is typically stored in a default location, but you can edit it directly using a text editor or manage it using kubectl config commands. Whether you need to add a new cluster, switch contexts, or merge multiple configuration files, these methods will help you keep your kubeconfig file organized and up-to-date.
August 29, 2024
Installing and Testing Sealed Secrets on a k8s Cluster Using Terraform
Introduction

In a Kubernetes environment, secrets are often used to store sensitive information like passwords, API keys, and certificates. However, these secrets are stored in plain text within the cluster, making them vulnerable to attacks. To secure this sensitive information, Sealed Secrets provides a way to encrypt secrets before they are stored in the cluster, ensuring they remain safe even if the cluster is compromised.

In this article, we’ll walk through creating a Terraform module that installs Sealed Secrets into an existing kubernetes cluster. We’ll also cover how to test the installation to ensure everything is functioning as expected.

Prerequisites

Before diving in, ensure you have the following:
- An existing k8s cluster.
- Terraform installed on your local machine.
- kubectl configured to interact with your k8s cluster.
- helm installed for managing Kubernetes packages.
Creating the Terraform Module

First, we need to create a Terraform module that will install Sealed Secrets using Helm. This module will be reusable, allowing you to deploy Sealed Secrets into any kubernetes cluster.

Directory Structure

Create a directory for your Terraform module with the following structure:
```
sealed-secrets/
│
├── main.tf
├── variables.tf
├── outputs.tf
├── README.md
```
main.tf

The main.tf file is where the core logic of the module resides. It includes a Helm release resource to install Sealed Secrets and a Kubernetes namespace resource to ensure the namespace exists before deployment.
```
resource "helm_release" "sealed_secrets" {
  name       = "sealed-secrets"
  repository = "https://bitnami-labs.github.io/sealed-secrets"
  chart      = "sealed-secrets"
  version    = var.sealed_secrets_version
  namespace  = var.sealed_secrets_namespace

  values = [
    templatefile("${path.module}/values.yaml.tpl", {
      install_crds = var.install_crds
    })
  ]

  depends_on = [kubernetes_namespace.sealed_secrets]
}

resource "kubernetes_namespace" "sealed_secrets" {
  metadata {
    name = var.sealed_secrets_namespace
  }
}

output "sealed_secrets_status" {
  value = helm_release.sealed_secrets.status
}
```
variables.tf

The variables.tf file defines all the variables that the module will use. This includes variables for Kubernetes cluster details and Helm chart configuration.
```
variable "sealed_secrets_version" {
  description = "The Sealed Secrets Helm chart version"
  type        = string
  default     = "2.7.2"  # Update to the latest version as needed
}

variable "sealed_secrets_namespace" {
  description = "The namespace where Sealed Secrets will be installed"
  type        = string
  default     = "sealed-secrets"
}

variable "install_crds" {
  description = "Whether to install the Sealed Secrets Custom Resource Definitions (CRDs)"
  type        = bool
  default     = true
}
```
outputs.tf

The outputs.tf file provides the status of the Helm release, which can be useful for debugging or for integration with other Terraform configurations.
```
output "sealed_secrets_status" {
  description = "The status of the Sealed Secrets Helm release"
  value       = helm_release.sealed_secrets.status
}
```
values.yaml.tpl

The values.yaml.tpl file is a template for customizing the Helm chart values. It allows you to dynamically set Helm values using the input variables defined in variables.tf.
```
installCRDs: ${install_crds}
```
Deploying Sealed Secrets with Terraform

Now that the module is created, you can use it in your Terraform configuration to install Sealed Secrets into your kubernetes cluster.
1. Initialize Terraform: In your main Terraform configuration directory, run:
```
   terraform init
```
1. Apply the Configuration: Apply the configuration to deploy Sealed Secrets:
```
   terraform apply
```
Terraform will prompt you to confirm the changes. Type yes to proceed.

After the deployment, Terraform will output the status of the Sealed Secrets Helm release, indicating whether it was successfully deployed.

Testing the Installation

To verify that Sealed Secrets is installed and functioning correctly, follow these steps:

1. Check the Sealed Secrets Controller Pod

Ensure that the Sealed Secrets controller pod is running in the sealed-secrets namespace.
```
kubectl get pods -n sealed-secrets
```
You should see a pod named something like sealed-secrets-controller-xxxx in the Running state.

2. Check the Custom Resource Definitions (CRDs)

If you enabled the installation of CRDs, check that they are correctly installed:
```
kubectl get crds | grep sealedsecrets
```
This command should return:
```
sealedsecrets.bitnami.com
```
3. Test Sealing and Unsealing a Secret

To ensure that Sealed Secrets is functioning as expected, create and seal a test secret, then unseal it.
1. Create a test Secret:
```
   kubectl create secret generic mysecret --from-literal=secretkey=mysecretvalue -n sealed-secrets
```
1. Encrypt the Secret using Sealed Secrets: Use the kubeseal CLI tool to encrypt the secret.
```
   kubectl get secret mysecret -n sealed-secrets -o yaml \
     | kubeseal \
     --controller-name=sealed-secrets-controller \
     --controller-namespace=sealed-secrets \
     --format=yaml > mysealedsecret.yaml
```
1. Delete the original Secret:
```
   kubectl delete secret mysecret -n sealed-secrets
```
1. Apply the Sealed Secret:
```
   kubectl apply -f mysealedsecret.yaml -n sealed-secrets
```
1. Verify that the Secret was unsealed:
```
   kubectl get secret mysecret -n sealed-secrets -o yaml
```
This command should display the unsealed secret, confirming that Sealed Secrets is working correctly.

Conclusion

In this article, we walked through the process of creating a Terraform module to install Sealed Secrets into a kubernetes cluster. We also covered how to test the installation to ensure that Sealed Secrets is properly configured and operational.

By using this Terraform module, you can easily and securely manage your Kubernetes secrets, ensuring that sensitive information is protected within your cluster.
August 28, 2024
How to Manage Kubernetes Clusters in Your Kubeconfig: Listing, Removing, and Cleaning Up
Kubernetes clusters are the backbone of containerized applications, providing the environment where containers are deployed and managed. As you work with multiple Kubernetes clusters, you’ll find that your kubeconfig file—the configuration file used by kubectl to manage clusters—can quickly become cluttered with entries for clusters that you no longer need or that have been deleted. In this article, we’ll explore how to list the clusters in your kubeconfig file, remove unnecessary clusters, and clean up your configuration to keep things organized.

Listing Your Kubernetes Clusters

To manage your clusters effectively, you first need to know which clusters are currently configured in your kubeconfig file. You can list all the clusters using the following command:
```
kubectl config get-clusters
```
This command will output a list of all the clusters defined in your kubeconfig file. The list might look something like this:
```
NAME
cluster-1
cluster-2
minikube
```
Each entry corresponds to a cluster that kubectl can interact with. However, if you notice a cluster listed that you no longer need or one that has been deleted, it’s time to clean up your configuration.

Removing a Cluster Entry from Kubeconfig

When a cluster is deleted, the corresponding entry in the kubeconfig file does not automatically disappear. This can lead to confusion and clutter, making it harder to manage your active clusters. Here’s how to manually remove a cluster entry from your kubeconfig file:
1. Identify the Cluster to Remove:
  Use kubectl config get-clusters to list the clusters and identify the one you want to remove.
2. Remove the Cluster Entry:
  To delete a specific cluster entry, use the following command:
```
   kubectl config unset clusters.<cluster-name>
```
Replace <cluster-name> with the name of the cluster you want to remove. This command removes the cluster entry from your kubeconfig file.
1. Verify the Deletion:
  After removing the cluster entry, you can run kubectl config get-clusters again to ensure that the cluster is no longer listed.
Cleaning Up Related Contexts

In Kubernetes, a context defines a combination of a cluster, a user, and a namespace. When you remove a cluster, you might also want to delete any related contexts to avoid further confusion.
1. List All Contexts:
```
   kubectl config get-contexts
```
1. Remove the Unnecessary Context:
  If there’s a context associated with the deleted cluster, you can remove it using:
```
   kubectl config delete-context <context-name>
```
Replace <context-name> with the name of the context to delete.
1. Verify the Cleanup:
  Finally, list the contexts again to confirm that the unwanted context has been removed:
```
   kubectl config get-contexts
```
Why Clean Up Your Kubeconfig?

Keeping your kubeconfig file tidy has several benefits:
- Reduced Confusion: It’s easier to manage and switch between clusters when only relevant ones are listed.
- Faster Operations: With fewer contexts and clusters, operations like switching contexts or applying configurations can be faster.
- Security: Removing old clusters reduces the risk of accidentally deploying to or accessing an obsolete or insecure environment.
Conclusion

Managing your Kubernetes kubeconfig file is an essential part of maintaining a clean and organized development environment. By regularly listing your clusters, removing those that are no longer needed, and cleaning up related contexts, you can ensure that your Kubernetes operations are efficient and error-free. Whether you’re working with a handful of clusters or managing a complex multi-cluster environment, these practices will help you stay on top of your Kubernetes configuration.
August 28, 2024
GKE Autopilot vs. Standard Mode
When deciding between GKE Autopilot and Standard Mode, it’s essential to understand which use cases are best suited for each mode. Below is a comparison of typical use cases where one mode might be more advantageous than the other:

1. Development and Testing Environments
- GKE Autopilot:
- Best Fit: Ideal for development and testing environments where the focus is on speed, simplicity, and minimizing operational overhead.
- Why? Autopilot handles all the infrastructure management, allowing developers to concentrate solely on writing and testing code. The automatic scaling and resource management features ensure that resources are used efficiently, making it a cost-effective option for non-production environments.
- GKE Standard Mode:
- Best Fit: Suitable when development and testing require a specific infrastructure configuration or when mimicking a production-like environment is crucial.
- Why? Standard Mode allows for precise control over the environment, enabling you to replicate production configurations for more accurate testing scenarios.
2. Production Workloads
- GKE Autopilot:
- Best Fit: Works well for production workloads that are relatively straightforward, where minimizing management effort and ensuring best practices are more critical than having full control.
- Why? Autopilot’s automated management ensures that production workloads are secure, scalable, and follow Google-recommended best practices. This is ideal for teams looking to focus on application delivery rather than infrastructure management.
- GKE Standard Mode:
- Best Fit: Optimal for complex production workloads that require customized infrastructure setups, specific performance tuning, or specialized security configurations.
- Why? Standard Mode provides the flexibility to configure the environment exactly as needed, making it ideal for high-traffic applications, applications with specific compliance requirements, or those that demand specialized hardware or networking configurations.
3. Microservices Architectures
- GKE Autopilot:
- Best Fit: Suitable for microservices architectures where the focus is on rapid deployment and scaling without the need for fine-grained control over the infrastructure.
- Why? Autopilot’s automated scaling and resource management work well with microservices, which often require dynamic scaling based on traffic and usage patterns.
- GKE Standard Mode:
- Best Fit: Preferred when microservices require custom node configurations, advanced networking, or integration with existing on-premises systems.
- Why? Standard Mode allows you to tailor the Kubernetes environment to meet specific microservices architecture requirements, such as using specific machine types for different services or implementing custom networking solutions.
4. CI/CD Pipelines
- GKE Autopilot:
- Best Fit: Ideal for CI/CD pipelines that need to run on a managed environment where setup and maintenance are minimal.
- Why? Autopilot simplifies the management of Kubernetes clusters, making it easy to integrate with CI/CD tools for automated builds, tests, and deployments. The pay-per-pod model can also reduce costs for CI/CD jobs that are bursty in nature.
- GKE Standard Mode:
- Best Fit: Suitable when CI/CD pipelines require specific configurations, such as dedicated nodes for build agents or custom security policies.
- Why? Standard Mode provides the flexibility to create custom environments that align with the specific needs of your CI/CD processes, ensuring that build and deployment processes are optimized.
Billing in GKE Autopilot vs. Standard Mode

Billing is one of the most critical differences between GKE Autopilot and Standard Mode. Here’s how it works for each:

GKE Autopilot Billing
- Pod-Based Billing: Autopilot charges are based on the resources requested by the pods you deploy. This includes CPU, memory, and ephemeral storage requests. You pay only for the resources that your workloads actually consume, rather than for the underlying nodes.
- No Node Management Costs: Since Google manages the nodes in Autopilot, you don’t pay for individual VM instances. This eliminates costs related to over-provisioning, as you don’t have to reserve more capacity than necessary.
- Additional Costs:
- Networking: You still pay for network egress and load balancers as per Google Cloud’s networking pricing.
- Persistent Storage: Persistent Disk usage is billed separately, based on the amount of storage used.
- Cost Efficiency: Autopilot can be more cost-effective for workloads that scale up and down frequently, as you’re charged based on the actual pod usage rather than the capacity of the underlying infrastructure.
GKE Standard Mode Billing
- Node-Based Billing: In Standard Mode, you pay for the nodes you provision, regardless of whether they are fully utilized. This includes the cost of the VM instances (compute resources) that run your Kubernetes workloads.
- Customization Costs: While Standard Mode offers the ability to use specific machine types, enable advanced networking features, and configure custom node pools, these customizations can lead to higher costs, especially if the resources are not fully utilized.
- Additional Costs:
- Networking: Similar to Autopilot, network egress, and load balancers are billed separately.
- Persistent Storage: Persistent Disk usage is also billed separately, based on the amount of storage used.
- Cluster Management Fee: GKE Standard Mode incurs a cluster management fee, which is a flat fee per cluster.
- Potential for Higher Costs: While Standard Mode gives you complete control over the infrastructure, it can lead to higher costs if not managed carefully, especially if the cluster is over-provisioned or underutilized.
When comparing uptime between GKE Autopilot and GKE Standard Mode, both modes offer high levels of reliability and uptime, but the difference largely comes down to how each mode is managed and the responsibilities for ensuring that uptime.

Uptime in GKE Autopilot
- Managed by Google: GKE Autopilot is designed to minimize downtime by offloading infrastructure management to Google. Google handles node provisioning, scaling, upgrades, and maintenance automatically. This means that critical tasks like node updates, patching, and failure recovery are managed by Google, which generally reduces the risk of human error or misconfiguration leading to downtime.
- Automatic Scaling and Repair: Autopilot automatically adjusts resources in response to workloads, and it includes built-in capabilities for auto-repairing nodes. If a node fails, the system automatically replaces it without user intervention, contributing to better uptime.
- Best Practices Enforcement: Google enforces Kubernetes best practices by default, reducing the likelihood of issues caused by misconfigurations or suboptimal setups. This includes security settings, resource limits, and network policies that can indirectly contribute to higher availability.
- Service Level Agreement (SLA): Google offers a 99.95% availability SLA for GKE Autopilot. This SLA covers the entire control plane and the managed workloads, ensuring that Google’s infrastructure will meet this uptime threshold.
Uptime in GKE Standard Mode
- User Responsibility: In Standard Mode, the responsibility for managing infrastructure lies largely with the user. This includes managing node pools, handling upgrades, patching, and configuring high availability setups. While this allows for greater control, it also introduces potential risks if best practices are not followed or if the infrastructure is not properly managed.
- Custom Configurations: Users can configure highly available clusters by spreading nodes across multiple zones or regions and using advanced networking features. While this can lead to excellent uptime, it requires careful planning and management.
- Manual Intervention: Standard Mode allows users to manually intervene in case of issues, which can be both an advantage and a disadvantage. On one hand, users can quickly address specific problems, but on the other hand, it introduces the potential for human error.
- Service Level Agreement (SLA): GKE Standard Mode also offers a 99.95% availability SLA for the control plane. However, the uptime of the workloads themselves depends heavily on how well the cluster is managed and configured by the user.
Which Mode Has Better Uptime?
- Reliability and Predictability: GKE Autopilot is generally more reliable and predictable in terms of uptime because it automates many of the tasks that could otherwise lead to downtime. Google’s management of the infrastructure ensures that best practices are consistently applied, and the automation reduces the risk of human error.
- Customizability and Potential for High Availability: GKE Standard Mode can achieve equally high uptime, but this is contingent on how well the cluster is configured and managed. Organizations with the expertise to design and manage highly available clusters may achieve better uptime in specific scenarios, especially when using custom setups like multi-zone clusters. However, this requires more effort and expertise.
Conclusion

In summary, GKE Autopilot is likely to offer more consistent and reliable uptime out of the box due to its fully managed nature and Google’s enforcement of best practices. GKE Standard Mode can match or even exceed this uptime, but it depends heavily on the user’s ability to manage and configure the infrastructure effectively.

If uptime is a critical concern and you prefer a hands-off approach with guaranteed best practices, GKE Autopilot is the safer choice. If you have the expertise to manage complex setups and need full control over the infrastructure, GKE Standard Mode can provide excellent uptime, but with a greater burden on your operational teams.

Choosing between GKE Autopilot and Standard Mode involves understanding your use cases and how you want to manage your Kubernetes infrastructure. Autopilot is excellent for teams looking for a hands-off approach with optimized costs and enforced best practices. In contrast, Standard Mode is ideal for those who need full control and customization, even if it means taking on more operational responsibilities and potentially higher costs.

When deciding between the two, consider factors like the complexity of your workloads, your team’s expertise, and your cost management strategies. By aligning these considerations with the capabilities of each mode, you can make the best choice for your Kubernetes deployment on Google Cloud.
August 27, 2024
GKE Autopilot vs. Standard Mode: Understanding the Differences
Google Kubernetes Engine (GKE) offers two primary modes for running Kubernetes clusters: Autopilot and Standard. Each mode provides different levels of control, automation, and flexibility, catering to different use cases and operational requirements. In this article, we’ll explore the key differences between GKE Autopilot and Standard Mode to help you decide which one best suits your needs.

Overview of GKE Autopilot and Standard Mode

GKE Standard Mode is the traditional way of running Kubernetes clusters on Google Cloud. It gives users complete control over the underlying infrastructure, including node configuration, resource allocation, and management of Kubernetes objects. This mode is ideal for organizations that require full control over their clusters and have the expertise to manage Kubernetes at scale.

GKE Autopilot is a fully managed, hands-off mode of running Kubernetes clusters. Introduced by Google in early 2021, Autopilot abstracts away the underlying infrastructure management, allowing developers to focus purely on deploying and managing their applications. In this mode, Google Cloud takes care of node provisioning, scaling, and other operational aspects, while ensuring that best practices are followed.

Key Differences

1. Infrastructure Management
- GKE Standard Mode: In Standard Mode, users are responsible for managing the cluster’s infrastructure. This includes choosing the machine types, configuring nodes, managing upgrades, and handling any issues related to the underlying infrastructure.
- GKE Autopilot: In Autopilot, Google Cloud automatically manages the infrastructure. Nodes are provisioned, configured, and scaled without user intervention. This allows developers to focus solely on their applications, as Google handles the operational complexities.
2. Control and Flexibility
- GKE Standard Mode: Offers complete control over the cluster, including the ability to customize nodes, deploy specific machine types, and configure the networking and security settings. This mode is ideal for organizations with specific infrastructure requirements or those that need to run specialized workloads.
- GKE Autopilot: Prioritizes simplicity and ease of use over control. While this mode automates most operational tasks, it also limits the ability to customize certain aspects of the cluster, such as node configurations and network settings. This trade-off makes Autopilot a great choice for teams looking to minimize operational overhead.
3. Cost Structure
- GKE Standard Mode: Costs are based on the resources used, including the compute resources for nodes, storage, and network usage. Users pay for the nodes they provision, regardless of whether they are fully utilized or not.
- GKE Autopilot: In Autopilot, pricing is based on the pod resources you request and use, rather than the underlying nodes. This can lead to cost savings for workloads that scale up and down frequently, as you only pay for the resources your applications consume.
4. Security and Best Practices
- GKE Standard Mode: Users must manually configure security settings and ensure best practices are followed. This includes setting up proper role-based access control (RBAC), network policies, and ensuring nodes are properly secured.
- GKE Autopilot: Google Cloud enforces best practices by default in Autopilot mode. This includes secure defaults for RBAC, automatic node upgrades, and built-in support for network policies. Autopilot also automatically configures resource quotas and limits, ensuring that your cluster remains secure and optimized.
5. Scaling and Performance
- GKE Standard Mode: Users have control over the scaling of nodes and can configure horizontal and vertical scaling based on their needs. This flexibility allows for fine-tuned performance optimizations but requires more hands-on management.
- GKE Autopilot: Autopilot handles scaling automatically, adjusting the number of nodes and their configuration based on the workload’s requirements. This automated scaling is designed to ensure optimal performance with minimal user intervention, making it ideal for dynamic workloads.
When to Choose GKE Standard Mode

GKE Standard Mode is well-suited for organizations that require full control over their Kubernetes clusters and have the expertise to manage them. It’s a good fit for scenarios where:
- Custom Infrastructure Requirements: You need specific machine types, custom networking setups, or other specialized configurations.
- High Control Needs: You require granular control over node management, upgrades, and security settings.
- Complex Workloads: You are running complex or specialized workloads that require tailored configurations or optimizations.
When to Choose GKE Autopilot

GKE Autopilot is ideal for teams looking to minimize operational overhead and focus on application development. It’s a great choice for scenarios where:
- Simplicity is Key: You want a hands-off, fully managed Kubernetes experience.
- Cost Efficiency: You want to optimize costs by paying only for the resources your applications consume.
- Security Best Practices: You prefer Google Cloud to enforce best practices automatically, ensuring your cluster is secure by default.
Conclusion

Choosing between GKE Autopilot and Standard Mode depends on your organization’s needs and the level of control you require over your Kubernetes environment. Autopilot simplifies the operational aspects of running Kubernetes, making it a great choice for teams that prioritize ease of use and cost efficiency. On the other hand, Standard Mode offers full control and customization, making it ideal for organizations with specific infrastructure requirements and the expertise to manage them.

Both modes offer powerful features, so the choice ultimately comes down to your specific use case and operational preferences.
August 27, 2024
Using Sealed Secrets with ArgoCD and Helm Charts
When managing Kubernetes applications with ArgoCD and Helm, securing sensitive data such as passwords, API keys, and other secrets is crucial. Bitnami Sealed Secrets provides a powerful way to encrypt secrets that can be safely stored in Git and used within your ArgoCD and Helm workflows.

This guide will cover how to integrate Sealed Secrets with ArgoCD and Helm to securely manage secrets in your values.yaml files for Helm charts.

Overview

ArgoCD allows you to deploy and manage applications in Kubernetes using GitOps principles, where the desired state of your applications is stored in Git repositories. Helm, on the other hand, is a package manager for Kubernetes that simplifies application deployment through reusable templates (Helm charts).

Bitnami Sealed Secrets provides a way to encrypt your Kubernetes secrets using a public key, which can only be decrypted by the Sealed Secrets controller running in your Kubernetes cluster. This allows you to safely store and version-control encrypted secrets.

1. Prerequisites

Before you begin, ensure you have the following set up:
1. Kubernetes Cluster: A running Kubernetes cluster.
2. ArgoCD: Installed and configured in your Kubernetes cluster.
3. Helm: Installed on your local machine.
4. Sealed Secrets: The Sealed Secrets controller installed in your Kubernetes cluster.
5. kubeseal: The Sealed Secrets CLI tool installed on your local machine.
2. Setting Up Sealed Secrets

If you haven’t already installed the Sealed Secrets controller, follow these steps:

Install the Sealed Secrets Controller

Using Helm:
```
helm repo add bitnami https://charts.bitnami.com/bitnami
helm install sealed-secrets-controller bitnami/sealed-secrets
```
Or using kubectl:
```
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.20.2/controller.yaml
```
3. Encrypting Helm Values Using Sealed Secrets

In this section, we’ll demonstrate how to encrypt sensitive values in a Helm values.yaml file using Sealed Secrets, ensuring they are securely managed and version-controlled.

Step 1: Identify Sensitive Data in values.yaml

Suppose you have a Helm chart with a values.yaml file that contains sensitive information:
```
# values.yaml
database:
  username: admin
  password: my-secret-password  # Sensitive data
  host: db.example.com
```
Step 2: Create a Kubernetes Secret Manifest

First, create a Kubernetes Secret manifest for the sensitive data:
```
# my-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: my-database-secret
  namespace: default
type: Opaque
data:
  password: bXktc2VjcmV0LXBhc3N3b3Jk  # base64 encoded 'my-secret-password'
```
Step 3: Encrypt the Secret Using kubeseal

Use the kubeseal CLI to encrypt the secret using the public key from the Sealed Secrets controller:
```
kubeseal --format yaml < my-secret.yaml > my-sealedsecret.yaml
```
This command generates a SealedSecret resource that is safe to store in your Git repository:
```
# my-sealedsecret.yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: my-database-secret
  namespace: default
spec:
  encryptedData:
    password: AgA7SyR4l5URRXg...  # Encrypted data
```
Step 4: Modify the Helm Chart to Use the SealedSecret

In your Helm chart, modify the values.yaml file to reference the Kubernetes Secret instead of directly embedding sensitive values:
```
# values.yaml
database:
  username: admin
  secretName: my-database-secret
  host: db.example.com
```
In the deployment.yaml template of your Helm chart, reference the secret:
```
# templates/deployment.yaml
env:
  - name: DB_USERNAME
    value: {{ .Values.database.username }}
  - name: DB_PASSWORD
    valueFrom:
      secretKeyRef:
        name: {{ .Values.database.secretName }}
        key: password
```
This approach keeps the sensitive data out of the values.yaml file, instead storing it securely in a SealedSecret.

Step 5: Apply the SealedSecret to Your Kubernetes Cluster

Apply the SealedSecret to your cluster:
```
kubectl apply -f my-sealedsecret.yaml
```
The Sealed Secrets controller will decrypt the SealedSecret and create the corresponding Kubernetes Secret.

4. Deploying the Helm Chart with ArgoCD

Step 1: Create an ArgoCD Application

You can create an ArgoCD application either via the ArgoCD UI or using the argocd CLI. Here’s how to do it with the CLI:
```
argocd app create my-app \
  --repo https://github.com/your-org/your-repo.git \
  --path helm/my-app \
  --dest-server https://kubernetes.default.svc \
  --dest-namespace default
```
In this command:
- --repo: The URL of the Git repository where your Helm chart is stored.
- --path: The path to the Helm chart within the repository.
- --dest-server: The Kubernetes API server.
- --dest-namespace: The namespace where the application will be deployed.
Step 2: Sync the Application

Once the ArgoCD application is created, ArgoCD will monitor the Git repository for changes and automatically synchronize the Kubernetes cluster with the desired state.
- Auto-Sync: If auto-sync is enabled, ArgoCD will automatically deploy the application whenever changes are detected in the Git repository.
- Manual Sync: You can manually trigger a sync using the ArgoCD UI or CLI:
```
  argocd app sync my-app
```
5. Example: Encrypting and Using Multiple Secrets

In more complex scenarios, you might have multiple sensitive values to encrypt. Here’s how you can manage multiple secrets:

Step 1: Create Multiple Kubernetes Secrets
```
# db-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: db-secret
  namespace: default
type: Opaque
data:
  username: YWRtaW4= # base64 encoded 'admin'
  password: c2VjcmV0cGFzcw== # base64 encoded 'secretpass'

# api-key-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: api-key-secret
  namespace: default
type: Opaque
data:
  apiKey: c2VjcmV0YXBpa2V5 # base64 encoded 'secretapikey'
```
Step 2: Encrypt the Secrets Using kubeseal

Encrypt each secret using kubeseal:
```
kubeseal --format yaml < db-secret.yaml > db-sealedsecret.yaml
kubeseal --format yaml < api-key-secret.yaml > api-key-sealedsecret.yaml
```
Step 3: Apply the SealedSecrets

Apply the SealedSecrets to your Kubernetes cluster:
```
kubectl apply -f db-sealedsecret.yaml
kubectl apply -f api-key-sealedsecret.yaml
```
Step 4: Reference Secrets in Helm Values

Modify your Helm values.yaml file to reference these secrets:
```
# values.yaml
database:
  secretName: db-secret
api:
  secretName: api-key-secret
```
In your Helm chart templates, use the secrets:
```
# templates/deployment.yaml
env:
  - name: DB_USERNAME
    valueFrom:
      secretKeyRef:
        name: {{ .Values.database.secretName }}
        key: username
  - name: DB_PASSWORD
    valueFrom:
      secretKeyRef:
        name: {{ .Values.database.secretName }}
        key: password
  - name: API_KEY
    valueFrom:
      secretKeyRef:
        name: {{ .Values.api.secretName }}
        key: apiKey
```
6. Best Practices
- Environment-Specific Secrets: Use different SealedSecrets for different environments (e.g., staging, production). Encrypt and store these separately.
- Backup and Rotation: Regularly back up the SealedSecrets and rotate the keys used by the Sealed Secrets controller.
- Audit and Monitor: Enable logging and monitoring in your Kubernetes cluster to track the use of SealedSecrets.
When creating a Kubernetes Secret, the data must be base64 encoded before you can encrypt it with Sealed Secrets. This is because Kubernetes Secrets expect the values to be base64 encoded, and Sealed Secrets operates on the same principle since it wraps around Kubernetes Secrets.

Why Base64 Encoding?

Kubernetes Secrets require data to be stored as base64-encoded strings. This encoding is necessary because it allows binary data (like certificates, keys, or complex strings) to be stored as plain text in YAML files.

Steps for Using Sealed Secrets with Base64 Encoding

Here’s how you typically work with base64 encoding in the context of Sealed Secrets:

1. Base64 Encode Your Secret Data

Before creating a Kubernetes Secret, you need to base64 encode your sensitive data. For example, if your secret is a password like my-password, you would encode it:
```
echo -n 'my-password' | base64
```
This command outputs the base64-encoded version of my-password:
```
bXktcGFzc3dvcmQ=
```
2. Create the Kubernetes Secret Manifest

Create a Kubernetes Secret YAML file with the base64-encoded value:
```
apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: default
type: Opaque
data:
  password: bXktcGFzc3dvcmQ=  # base64 encoded 'my-password'
```
3. Encrypt the Secret Using kubeseal

Once the Kubernetes Secret manifest is ready, encrypt it using the kubeseal command:
```
kubeseal --format yaml < my-secret.yaml > my-sealedsecret.yaml
```
This command creates a SealedSecret, which can safely be committed to version control.

4. Apply the SealedSecret

Finally, apply the SealedSecret to your Kubernetes cluster:
```
kubectl apply -f my-sealedsecret.yaml
```
The Sealed Secrets controller in your cluster will decrypt the SealedSecret and create the corresponding Kubernetes Secret with the base64-encoded data.

Summary
- Base64 Encoding: You must base64 encode your secret data before creating a Kubernetes Secret manifest because Kubernetes expects the data to be in this format.
- Encrypting with Sealed Secrets: After creating the Kubernetes Secret manifest with base64-encoded data, use Sealed Secrets to encrypt the entire manifest.
- Applying SealedSecrets: The Sealed Secrets controller will decrypt the SealedSecret and create the Kubernetes Secret with the correctly encoded data.
Conclusion

By combining ArgoCD, Helm, and Sealed Secrets, you can securely manage and deploy Kubernetes applications in a GitOps workflow. Sealed Secrets ensure that sensitive data remains encrypted and safe, even when stored in a version control system, while Helm provides the flexibility to manage complex applications. Following the steps outlined in this guide, you can confidently manage secrets in your Kubernetes deployments, ensuring both security and efficiency.
August 26, 2024
Bitnami Sealed Secrets
Bitnami Sealed Secrets is a Kubernetes operator that allows you to encrypt your Kubernetes secrets and store them safely in a version control system, such as Git. Sealed Secrets uses a combination of public and private key cryptography to ensure that your secrets can only be decrypted by the Sealed Secrets controller running in your Kubernetes cluster.

This guide will provide an overview of Bitnami Sealed Secrets, how it works, and walk through three detailed examples to help you get started.

Overview of Bitnami Sealed Secrets

Sealed Secrets is a tool designed to solve the problem of managing secrets securely in Kubernetes. Unlike Kubernetes Secrets, which are base64 encoded but not encrypted, Sealed Secrets encrypt the data using a public key. The encrypted secrets can be safely stored in a Git repository. Only the Sealed Secrets controller, which holds the private key, can decrypt these secrets and apply them to your Kubernetes cluster.

Key Concepts
- SealedSecret CRD: A custom resource definition (CRD) that represents an encrypted secret. This resource is safe to commit to version control.
- Sealed Secrets Controller: A Kubernetes controller that runs in your cluster and is responsible for decrypting SealedSecrets and creating the corresponding Kubernetes Secrets.
- Public/Private Key Pair: The Sealed Secrets controller generates a public/private key pair. The public key is used to encrypt secrets, while the private key, held by the controller, is used to decrypt them.
Installation

To use Sealed Secrets, you need to install the Sealed Secrets controller in your Kubernetes cluster and set up the kubeseal CLI tool.

Step 1: Install Sealed Secrets Controller

Install the Sealed Secrets controller in your Kubernetes cluster using Helm:
```
helm repo add bitnami https://charts.bitnami.com/bitnami
helm install sealed-secrets-controller bitnami/sealed-secrets
```
Alternatively, you can install it using kubectl:
```
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.20.2/controller.yaml
```
Step 2: Install kubeseal CLI

The kubeseal CLI tool is used to encrypt your Kubernetes secrets using the public key from the Sealed Secrets controller.
- macOS:
```
  brew install kubeseal
```
- Linux:
```
  wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.20.2/kubeseal-linux-amd64 -O kubeseal
  chmod +x kubeseal
  sudo mv kubeseal /usr/local/bin/
```
- Windows:
  Download the kubeseal.exe binary from the releases page.
How Sealed Secrets Work
1. Create a Kubernetes Secret: Define your secret using a Kubernetes Secret manifest.
2. Encrypt the Secret with kubeseal: Use the kubeseal CLI to encrypt the secret using the Sealed Secrets public key.
3. Apply the SealedSecret: The encrypted secret is stored as a SealedSecret resource in your cluster.
4. Decryption and Creation of Kubernetes Secret: The Sealed Secrets controller decrypts the SealedSecret and creates the corresponding Kubernetes Secret.
Example 1: Basic Sealed Secret

Step 1: Create a Kubernetes Secret

Start by creating a Kubernetes Secret manifest. For example, let’s create a secret that contains a database password.
```
apiVersion: v1
kind: Secret
metadata:
  name: my-db-secret
  namespace: default
type: Opaque
data:
  password: cGFzc3dvcmQ= # base64 encoded 'password'
```
Step 2: Encrypt the Secret Using kubeseal

Use the kubeseal command to encrypt the secret:
```
kubectl create secret generic my-db-secret --dry-run=client --from-literal=password=password -o yaml > my-db-secret.yaml

kubeseal --format yaml < my-db-secret.yaml > my-db-sealedsecret.yaml
```
This command will create a SealedSecret manifest file (my-db-sealedsecret.yaml), which is safe to store in a Git repository.

Step 3: Apply the SealedSecret

Apply the SealedSecret manifest to your Kubernetes cluster:
```
kubectl apply -f my-db-sealedsecret.yaml
```
The Sealed Secrets controller will decrypt the sealed secret and create a Kubernetes Secret in the cluster.

Example 2: Environment-Specific Sealed Secrets

Step 1: Create Environment-Specific Secrets

Create separate Kubernetes Secrets for different environments (e.g., development, staging, production).

For the staging environment:
```
apiVersion: v1
kind: Secret
metadata:
  name: my-db-secret
  namespace: staging
type: Opaque
data:
  password: c3RhZ2luZy1wYXNzd29yZA== # base64 encoded 'staging-password'
```
For the production environment:
```
apiVersion: v1
kind: Secret
metadata:
  name: my-db-secret
  namespace: production
type: Opaque
data:
  password: cHJvZHVjdGlvbi1wYXNzd29yZA== # base64 encoded 'production-password'
```
Step 2: Encrypt Each Secret

Encrypt each secret using kubeseal:

For staging:
```
kubeseal --format yaml < my-db-secret-staging.yaml > my-db-sealedsecret-staging.yaml
```
For production:
```
kubeseal --format yaml < my-db-secret-production.yaml > my-db-sealedsecret-production.yaml
```
Step 3: Apply the SealedSecrets

Apply the SealedSecrets to the respective namespaces:
```
kubectl apply -f my-db-sealedsecret-staging.yaml
kubectl apply -f my-db-sealedsecret-production.yaml
```
The Sealed Secrets controller will create the Kubernetes Secrets in the appropriate environments.

Example 3: Using SOPS and Sealed Secrets Together

SOPS (Secret Operations) is a tool used to encrypt files (including Kubernetes secrets) before committing them to a repository. You can use SOPS in conjunction with Sealed Secrets to add another layer of encryption.

Step 1: Create a Secret and Encrypt with SOPS

First, create a Kubernetes Secret and encrypt it with SOPS:
```
apiVersion: v1
kind: Secret
metadata:
  name: my-sops-secret
  namespace: default
type: Opaque
data:
  password: cGFzc3dvcmQ= # base64 encoded 'password'
```
Encrypt this file using SOPS:
```
sops --encrypt --kms arn:aws:kms:your-region:your-account-id:key/your-kms-key-id my-sops-secret.yaml > my-sops-secret.enc.yaml
```
Step 2: Decrypt and Seal with kubeseal

Before applying the secret to Kubernetes, decrypt it with SOPS and then seal it with kubeseal:
```
sops --decrypt my-sops-secret.enc.yaml | kubeseal --format yaml > my-sops-sealedsecret.yaml
```
Step 3: Apply the SealedSecret

Apply the SealedSecret to your Kubernetes cluster:
```
kubectl apply -f my-sops-sealedsecret.yaml
```
This approach adds an extra layer of security by encrypting the secret file with SOPS before sealing it with Sealed Secrets.

Best Practices for Using Sealed Secrets
1. Key Rotation: Regularly rotate the Sealed Secrets controller’s keys to minimize the risk of key compromise. This can be done by re-installing the Sealed Secrets controller, which generates a new key pair.
2. Environment-Specific Secrets: Use different secrets for different environments to avoid leaking sensitive data from one environment to another. Encrypt these secrets separately for each environment.
3. Audit and Monitoring: Implement logging and monitoring to track the creation, modification, and access to secrets. This helps in detecting unauthorized access or misuse.
4. Backups: Regularly back up your SealedSecrets and the Sealed Secrets controller’s private key. This ensures that you can recover your secrets in case of a disaster.
5. Automated Workflows: Integrate Sealed Secrets into your CI/CD pipelines to automate the encryption, decryption, and deployment of secrets as part of your workflow.
6. Secure the Sealed Secrets Controller: Ensure that the Sealed Secrets controller is running in a secure environment with limited access, as it holds the private key necessary for decrypting secrets.
Conclusion

Bitnami Sealed Secrets is an essential tool for securely managing secrets in Kubernetes, especially in GitOps workflows where secrets are stored in version control systems. By following the detailed examples and best practices provided in this guide, you can securely manage secrets across different environments, integrate Sealed Secrets with other tools like SOPS, and ensure that your Kubernetes applications are both secure and scalable.
August 26, 2024