Skip to content

codefresh-contrib/gitops-secrets-sample-app

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits

never-commit-to-git

never-commit-to-git

 
 

safe-to-commit

safe-to-commit

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

codefresh.yaml

codefresh.yaml

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

kubernetes-secrets.png

kubernetes-secrets.png

 
 

settings.ini

settings.ini

 
 

simple-web-server.go

simple-web-server.go

 
 

Repository files navigation

Gitops with secrets

This is single application that uses Bitnami sealed secrets for password and certificates.

How to run locally

go run .

then visit http://localhost:8080 in your browser

How to build and run the container

Run

  • docker build . -t my-app to create a container image
  • docker run -p 8080:8080 my-app to run it

then visit http://localhost:8080 in your browser

You can find prebuilt images at https://hub.docker.com/r/kostiscodefresh/gitops-secrets-sample-app/tags

How to work with secrets

WARNING just for demonstration purposes this repository contains both raw and encrypted secrets so that you can see the sealing process yourself. In a real application, your Git repository should only have sealed secrets

Secret folders

  • never-commit-to-git/decrypted contains the raw secrets (You should never commit this to Git)
  • never-commit-to-git/unsealed_secrets contains plain Kubernetes secrets (You should never commit this to Git)
  • safe-to-commit/sealed_secrets contains sealed secrets (This is the only folder you should commit to Git)

How to install the Bitnami secret controller

Install the secret controller

helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm repo update
helm install sealed-secrets-controller sealed-secrets/sealed-secrets

By default the controller will be installed at the kube-system namespace. The namespace and release name are important, since if you change the defaults, you need to set them up with kubeseal as well as you work with secrets

Download the kubeseal CLI.

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.16.0/kubeseal-linux-amd64 -O kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

How to work with bitnami sealed secrets

kubectl create ns git-secrets
cd safe-to-commit/sealed_secrets
kubeseal -n git-secrets < ../../never-commit-to-git/unsealed_secrets/db-creds.yml > db-creds.json
kubeseal -n git-secrets < ../../never-commit-to-git/unsealed_secrets/key-private.yml > key-private.json
kubeseal -n git-secrets  < ../../never-commit-to-git/unsealed_secrets/key-public.yml > key-public.json
kubeseal -n git-secrets < ../../never-commit-to-git/unsealed_secrets/paypal-cert.yml > paypal-cert.json
kubectl apply -f . -n git-secrets

You now have encrypted your plain secrets. These files are safe to commit to Git. You can see that they have been converted automatically to plain secrets with the command

kubectl get secrets -n git-secrets

How to deploy the application

Note that the application requires all secrets to be present

cd safe-to-commit/manifests
kubectl apply -f . -n git-secrets

Wait some time and then find the public IP of the loadbalancer of the application:

kubectl get svc -n git-secrets

If you now visit your application you will see it using the secrets:

Kubernetes secrets

See the documentation page for more details.

About

GitOps example with Bitnami sealed secrets

codefresh.io/docs/docs/yaml-examples/examples/gitops-secrets/

Topics

kubernetes secrets k8s gitops

Resources

Readme
Activity
Custom properties

Stars

18 stars

Watchers

3 watching

Forks

102 forks
Report repository

Languages