Managing Kubernetes secrets in a GitOps workflow (deprecated)
You should never store Kubernetes secrets in unencrypted form in a git
repository. If you use a GitOps workflow, you can follow these steps to securely manage your secrets.
- Set up the Sealed Secrets controller to manage secrets.
- Deploy Docker credentials so the cluster can pull images from the GitLab container registry.
Prerequisites
This setup requires:
- A GitLab agent for Kubernetes configured for the GitOps workflow.
- Access to the cluster to finish the setup.
Set up the Sealed Secrets controller to manage secrets
You can use the Sealed Secrets controller to store encrypted secrets securely in a git
repository. The controller decrypts the secret into a standard Kubernetes Secret
kind resource.
- Go to the Sealed Secrets release page and download the most recent
controller.yaml
file. - In GitLab, go to the project that contains your Kubernetes manifests and upload the
controller.yaml
file. - Open the agent configuration file (
config.yaml
) and if needed, update thepaths.glob
pattern to match the Sealed Secrets manifest. - Commit and push the changes to GitLab.
-
Confirm that the Sealed Secrets controller was installed successfully:
kubectl get pods -lname=sealed-secrets-controller -n kube-system
- Install the
kubeseal
command line utility by following the Sealed Secrets instructions. -
Get the public key you need to encrypt secrets without direct access to the cluster:
kubeseal --fetch-cert > public.pem
- Commit the public key to the repository.
For more details on how the Sealed Secrets controller works, view the usage instructions.
Deploy Docker credentials
To deploy containers from the GitLab container registry, you must configure the cluster with the proper Docker registry credentials. You can achieve this by deploying a docker-registry
type secret.
- Generate a GitLab token with at least
read-registry
rights. The token can be either a Personal or a Project Access Token. -
Create a Kubernetes secret manifest YAML file. Update the values as needed:
kubectl create secret docker-registry gitlab-credentials --docker-server=registry.gitlab.example.com --docker-username=<gitlab-username> --docker-password=<gitlab-token> --docker-email=<gitlab-user-email> -n <namespace> --dry-run=client -o yaml > gitlab-credentials.yaml
-
Encrypt the secret into a
SealedSecret
manifest:kubeseal --format=yaml --cert=public.pem < gitlab-credentials.yaml > gitlab-credentials.sealed.yaml