Managing Kubernetes secrets in a GitOps workflow

You should never store Kubernetes secrets in unencrypted form in a git repository. If you use a GitOps workflow, you can follow these steps to securely manage your secrets.

  1. Set up the Sealed Secrets controller to manage secrets.
  2. Deploy Docker credentials so the cluster can pull images from the GitLab Container Registry.

Prerequisites

This setup requires:

Set up the Sealed Secrets controller to manage secrets

You can use the Sealed Secrets controller to store encrypted secrets securely in a git repository. The controller decrypts the secret into a standard Kubernetes Secret kind resource.

  1. Go to the Sealed Secrets release page and download the most recent controller.yaml file.
  2. In GitLab, go to the project that contains your Kubernetes manifests and upload the controller.yaml file.
  3. Open the agent configuration file (config.yaml) and if needed, update the paths.glob pattern to match the Sealed Secrets manifest.
  4. Commit and push the changes to GitLab.
  5. Confirm that the Sealed Secrets controller was installed successfully:

    kubectl get pods -lname=sealed-secrets-controller -n kube-system
    
  6. Install the kubeseal command line utility by following the Sealed Secrets instructions.
  7. Get the public key you need to encrypt secrets without direct access to the cluster:

    kubeseal --fetch-cert > public.pem
    
  8. Commit the public key to the repository.

For more details on how the Sealed Secrets controller works, view the usage instructions.

Deploy Docker credentials

To deploy containers from the GitLab Container Registry, you must configure the cluster with the proper Docker registry credentials. You can achieve this by deploying a docker-registry type secret.

  1. Generate a GitLab token with at least read-registry rights. The token can be either a Personal or a Project Access Token.
  2. Create a Kubernetes secret manifest YAML file. Update the values as needed:

    kubectl create secret docker-registry gitlab-credentials --docker-server=registry.gitlab.example.com --docker-username=<gitlab-username> --docker-password=<gitlab-token> --docker-email=<gitlab-user-email> -n <namespace> --dry-run=client -o yaml > gitlab-credentials.yaml
    
  3. Encrypt the secret into a SealedSecret manifest:

    kubeseal --format=yaml --cert=public.pem < gitlab-credentials.yaml > gitlab-credentials.sealed.yaml