A Seamless GitOps Experience: Integrating Sealed Secrets with Bitnami Charts
Authored by Alvaro Neira, Senior member of technical staff at VMware
If you are a software developer like me, you might have wondered in the past: What’s the best method to deploy a Bitnami chart with a specific password written in the values.yaml file? What is the best way to use Bitnami charts with solutions like ArgoCD?
In a previous article, we explained how to use Sealed Secrets with existing Secrets. This approach is totally valid if you are trying to deploy Sealed Secrets in your cluster. However, this could be tedious or more complex because it requires the deployment of the chart only after you apply the Sealed Secrets. Fortunately, all Bitnami charts include a parameter called extraDeploy in their values.yaml file permitting you to define certain values to streamline deploying Helm charts using Sealed Secrets. This feature will allow you to deploy the chart and Sealed Secrets all in one go. Enabling this parameter in the values.yaml file ensures all necessary components are included in the chart for improved security and control of application deployments.
Sealed Secrets basic flow
In this blog post, you will learn how to apply Sealed Secrets using the extraDeploy parameter. We use the Bitnami package for PostgreSQL from VMware Tanzu Application Catalog as an example, but you can pick another solution from the Tanzu Application Catalog or Bitnami Application Catalog and encrypt its secrets using Sealed Secrets this way.
What do you need to get going: assumptions and prerequisites
The following prerequisites must be met before you can deploy Sealed Secrets on Kubernetes through Tanzu Application Catalog:
- Sealed Secrets and PostgreSQL (which can be accessed in Tanzu Application Catalog)
- Kubeseal (must be installed on your computer)
How to deploy a Sealed Secrets controller using Tanzu Application Catalog
- Navigate to app-catalog.vmware.com and sign in to your catalog with your VMware account.
- In the My Applications section, search for the Sealed Secrets Helm chart. Click Details.
On the next screen, you will find the instructions for deploying the chart on your cluster.
- Make sure that your cluster is up and running by executing the command kubectl cluster-info in a terminal window. The output message should be something similar to this:
Kubernetes control plane is running at https://192.168.49.2:8443 CoreDNS is running at https://192.168.49.2:8443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
- Next, run the commands shown in the Consume your Helm Chart section.
Et voilá, you now have your Sealed Secrets controller ready to work.
Encrypt your secrets with Sealed Secrets
1. Run the following command to use kubeseal to create a Sealed Secret with encrypted credentials for the PostgreSQL deployment:
$ kubectl create secret generic my-secret --from-literal postgres-password=mypassword --from-literal password=mypassword -o yaml --dry-run | kubeseal -o yaml > sealed_secret.yaml
Your Sealed Secret is then generated and stored in a new YAML file. This Sealed Secret can only be decrypted by your controller, meaning there is no human intervention required to decrypt your secrets. The decryption keys are accessible only for the cluster administrators and no one else. As a result, you have the flexibility to apply it either manually or automatically in the namespace of your choice for using your secret.
2. Once you have generated the Sealed Secret, the next step is to add it to the PostgreSQL values.yaml file using the extraDeploy parameter. This option allows users to add YAML-formatted resources to be deployed alongside your chart.
Sealed Secrets deployed using the extraDeploy feature
Edit the PostgreSQL values.yaml file as shown below.
auth: existingSecret: my-secret extraDeploy: - | apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: creationTimestamp: null name: my-secret namespace: default spec: encryptedData: password: AgB5vCv8BEv8zfTbM0Z0YU7e0lKWZUVWJaa8lX5IFP7uCXFtyb1zFrid3pmv97DZgcPh1ps3csIcjz8rM3HDq+2vhdVbEzzhY23hPjTKkZrZy5Bhv1TY0VwNENZKz1ickStrRMDwdNxSa5+GIShcLLaN7H5BBzPN5cH7fKr35uFemEutxgFc7QLZ26FyDmGsEZ8+5eb7rsetKHBkl7H3OYBLl4HjSRLdvlYhP5kxvfE3wG98AYsdekX9UZtCUkruXYVjLsHWrXg7646v40tBNZLmS1LjABGnhGvj9o13VsWbGaboqDTdHrxwIZ68SxyMzzDPDy8mpn3sIuLBa5A2lES3BwfubCMIYLZj1qSAT2XVKCy+bgJYQn2dL3KJoK9dMTr3oj//N7gBhlgeLRyKF76wuDfuKDA9FX4M4XUbPiLQboEGMCLmXhJe3/8bMA0rNzGMrhYwe/k+syvHsdmmBUUelNgCdAWkYUQkK8PEhYxEFMYpLuTc6nDBow/j/imI5zo03jHJk5jsgecujfpTWxHoo41/1nQuJ8uqZCFV6h7MkvykRswSzpf7ZEhB0KQ5IZTg89Ph8E9pSsJiR1AN/AZM2su004zrn1m3OCZ5Hdun+7uAQc9k5CWvEhKW92UzeLU5xrN/TOdR0fIfPBz1v58dWDy4kZO2A78FXAogK3671ZnjTaM/YS6i3dXHdC86NswDo3HkOb2KZYrQ postgres-password: AgAbosWAogV5q5PX2vJ1Mg7LWusYovex8rhJbmv+RUWl4gOnA137uoUjrO/fJm03rTvm1a7tSTm3LbDixdtAhqU/7DOITmKVadX3gjZaj237+5T9sjP6LAWw94a7yffC/DOr4P3EaZkrRxpbIdp2bRVGrbQLDVGHAqtPN4m7oLpXIaq5//e3LZyWhEFuOJq31iIF7pBEdBK9nUN2TPuSPPVmR94q7f9qR6rbo0UyUqPAloCqqA61J2rYWqaF88Tj6n2yP5JqzEwsOkThAu6eL/SNhSNobcxGyXf52jGtKk7tivF3G8cLqEXqMZgavizv7UVJm8g9YXwyT2aFeDDAWkI59ERUgrov42iJvyVUgM8WpsbYCwfKa7F1hhQSgddF5gaPvZtPnzi4jwWyOU32AIdKhDFUvnm0rzf3gVMR8Zrj9ONnD4HQ0JuA1aW3LzkTZaTsg1giUpGAdbiRECkdpIyA0fUyWwk6hE3Tvsyyxr1SIdlJ8sMhqCG/bnpeDW3Wy9+dCTgz0p0zSCyGRSoDTnKo4Hn6nFfqQp570YvHOKGTTGiHEgnJvsuvSKmeFS2Fq68EYCsUZNMNZAQsaQJhc8u9Va8ojPUN7Onlqn8wRoD5DoJ72otS2PEhOa9GY+x96UFQ2PQw7HVnl1/7Y+uy417GRACjPRiAUj2HrTh8o9Di5Id4sjTG5sTDqOwipx9VnGIVRg3+A16fpTAc template: metadata: creationTimestamp: null name: my-secret namespace: default
|Note: In the following example, I am using the Sealed Secret generated by my local controller. Do not copy this because your controller will not decrypt it properly. Please make sure to replace the Sealed Secret with the one you have just generated in the previous section.|
3. Run the following command to deploy the PostgreSQL chart. The Sealed Secret will simultaneously be deployed in the cluster.
$ helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/postgresql -f values.yaml
|Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts|
Congratulations! You have made your deployment safe and secure from unauthorized usage in just a few clicks.
Use Sealed Secrets with commercial support
The Tanzu Application Catalog subscription now includes VMware enterprise backed-support for Sealed Secrets, meaning that the customers of VMware Application Catalog are entitled to receive technical support from VMware for any issue regarding usage of Sealed Secrets. Read the official announcement to learn more. Note that this is the only way for anyone to avail technical support for Sealed Secrets as of today.
Follow the steps below to file support requests for Sealed Secrets:
- Navigate to the VMware Cloud Services Console and click Create a support Request.
This will redirect you to the VMware Customer Connect portal.
Click Get Support and, in the resulting screen, select the type of support you may need: Technical or Non-Technical support.
- Under the Technical Support option, click Request support. Under Account, the organization linked to your Tanzu Application Catalog subscription will be pre-selected. Click Next if that is the right information to use.
- In the Details section, write a subject and description of your issue. Then, in the Associated Cloud Service(s) section, click Add Service.
- A pop-up window will appear. Select VMware Tanzu Application Catalog Subscription.
- Upload any attachments that will help our team to better understand your issue, then select the Severity of the issue.
- Click Next. In the Watchlist section, add the email addresses of any other users of your organizations that should be notified about updates to this support request.
To finish the process, specify which is the best time to contact you and click Submit to file your support request.
Harnessing the power of Sealed Secrets
Bitnami Helm charts and Sealed Secrets were designed to streamline the work of DevOps professionals. As you’ve seen in this article, you can use them to significantly improve operational efficiency and ensure the inclusion of essential components in all your deployments. Furthermore, the use of embedded Sealed Secrets also simplifies manifest management for automated deployment tools like ArgoCD.
Sealed Secrets is a versatile tool with lots of little-known features and many ways to configure them. In this post, we used the default configuration, but our users frequently discover innovative ways to deploy Sealed Secrets. To explore further capabilities, please visit our GitHub page.
If you are interested in learning more about Tanzu Application Catalog in general, check out the product webpage, Tech Zone page, technical documentation, and additional resources. If you would like to get in touch, contact us.
Read about all the news announced by the VMware Tanzu team at VMware Explore 2023.
Remember, this is a Sealed Secret 🤫.