support use of SealedSecrets #374

wmcdona89 · 2023-05-11T15:54:27Z

Looking to replace Secret with SealedSecret to help ensure secrets are never leaked by helm. Currently helm's --dry-run and --debug flags cause secrets to be logged. See helm/helm#7275. Perhaps someday helm will provide masking via a --set-secret option but this is not in the current list of options.

The SealedSecret templates would look very similar to the existing Secret templates and a feature flag could enable the SealedSecret templates while disabling the Secret templates.

If there's not currently an appetite to include the SealedSecret templates in the chart, then simply providing a feature flag to disable the Secret templates would allow the chart to be extended by a chart providing the SealedSecret templates.

Below is an example with a sealedSecret.enabled feature flag and a configmap-sealedsecret.yaml template. The feature flag would also be added to configmap-secret.yaml.

values

sealedSecret:
  enabled: true
  annotations:
    sealedsecrets.bitnami.com/namespace-wide: "true"

config:
  secret:
    secret.conf: AgBD1mUgglt5c8Uvu18wHr0ADQF1npS0OMRs1AKwv+8gLOIxn/1ssLin1fCaqc/mdQn6O3X6dpAlBOn+KuUiKTliPGoJmJQE3fS5jSG6P9fkv0RM2Ynr660cql4LUG1zLwqx7uQnt08vXM7eHFxvoHsf5bZJIbO/P1gVIIMtCD/cbXS24sfnYcveHMw4FHlovrkmMvNhMGU2eUBiwgJwQhSHl4E07gJwsi+x4ZuT9gRSNLVL/7vH69jMqeDyF4J4WxHc4ST80qwQKtDwLE62FNJkXzvOb6SwCP9QEzykqVCX3cy0BX26ZRSncImJjS/N+N6K54DJSlu5AlIBCXPr/XHCb1aakrS/jJIO2kiMtnF8Cm1aNX+pnzLGrdFOTVfVctZWTrkkfRaSWOXpq5WXDnzcFCJSn4dF7KSNa6Q2FB6qziEQ51ONTPJI0JfvBDLZ/HNoLBE9ICRv9ItsX1MjVH3kcYJunoK8N4ie4iBm7EvVvw9OdZvNzM4VH5BApOZ5LGSV5qx2Br+k5H73LDuVtfLMcJHdmCBmkLwYBLUGixWyI11lfxsLd5Nkes3odw3sxx7wsaOzX5EOCz2st/dRiXuJK+df3FUXB4lUFaPgvGIlEwCdG7G1lKq9tXmcuP8lZxd/OVPJq7AP67SGvaLyOFnKSdBhjMdiSdMYW/8DEuhP3QsqpcHdKitFfpBgo5E7msyl3jnA2w==
  
  userProvisioning:
    user.conf: AgBD1mUgglt5c8Uvu18wHr0ADQF1npS0OMRs1AKwv+8gLOIxn/1ssLin1fCaqc/mdQn6O3X6dpAlBOn+KuUiKTliPGoJmJQE3fS5jSG6P9fkv0RM2Ynr660cql4LUG1zLwqx7uQnt08vXM7eHFxvoHsf5bZJIbO/P1gVIIMtCD/cbXS24sfnYcveHMw4FHlovrkmMvNhMGU2eUBiwgJwQhSHl4E07gJwsi+x4ZuT9gRSNLVL/7vH69jMqeDyF4J4WxHc4ST80qwQKtDwLE62FNJkXzvOb6SwCP9QEzykqVCX3cy0BX26ZRSncImJjS/N+N6K54DJSlu5AlIBCXPr/XHCb1aakrS/jJIO2kiMtnF8Cm1aNX+pnzLGrdFOTVfVctZWTrkkfRaSWOXpq5WXDnzcFCJSn4dF7KSNa6Q2FB6qziEQ51ONTPJI0JfvBDLZ/HNoLBE9ICRv9ItsX1MjVH3kcYJunoK8N4ie4iBm7EvVvw9OdZvNzM4VH5BApOZ5LGSV5qx2Br+k5H73LDuVtfLMcJHdmCBmkLwYBLUGixWyI11lfxsLd5Nkes3odw3sxx7wsaOzX5EOCz2st/dRiXuJK+df3FUXB4lUFaPgvGIlEwCdG7G1lKq9tXmcuP8lZxd/OVPJq7AP67SGvaLyOFnKSdBhjMdiSdMYW/8DEuhP3QsqpcHdKitFfpBgo5E7msyl3jnA2w==

global:
  secureCookieKey: AgBD1mUgglt5c8Uvu18wHr0ADQF1npS0OMRs1AKwv+8gLOIxn/1ssLin1fCaqc/mdQn6O3X6dpAlBOn+KuUiKTliPGoJmJQE3fS5jSG6P9fkv0RM2Ynr660cql4LUG1zLwqx7uQnt08vXM7eHFxvoHsf5bZJIbO/P1gVIIMtCD/cbXS24sfnYcveHMw4FHlovrkmMvNhMGU2eUBiwgJwQhSHl4E07gJwsi+x4ZuT9gRSNLVL/7vH69jMqeDyF4J4WxHc4ST80qwQKtDwLE62FNJkXzvOb6SwCP9QEzykqVCX3cy0BX26ZRSncImJjS/N+N6K54DJSlu5AlIBCXPr/XHCb1aakrS/jJIO2kiMtnF8Cm1aNX+pnzLGrdFOTVfVctZWTrkkfRaSWOXpq5WXDnzcFCJSn4dF7KSNa6Q2FB6qziEQ51ONTPJI0JfvBDLZ/HNoLBE9ICRv9ItsX1MjVH3kcYJunoK8N4ie4iBm7EvVvw9OdZvNzM4VH5BApOZ5LGSV5qx2Br+k5H73LDuVtfLMcJHdmCBmkLwYBLUGixWyI11lfxsLd5Nkes3odw3sxx7wsaOzX5EOCz2st/dRiXuJK+df3FUXB4lUFaPgvGIlEwCdG7G1lKq9tXmcuP8lZxd/OVPJq7AP67SGvaLyOFnKSdBhjMdiSdMYW/8DEuhP3QsqpcHdKitFfpBgo5E7msyl3jnA2w==

launcherPem: AgBD1mUgglt5c8Uvu18wHr0ADQF1npS0OMRs1AKwv+8gLOIxn/1ssLin1fCaqc/mdQn6O3X6dpAlBOn+KuUiKTliPGoJmJQE3fS5jSG6P9fkv0RM2Ynr660cql4LUG1zLwqx7uQnt08vXM7eHFxvoHsf5bZJIbO/P1gVIIMtCD/cbXS24sfnYcveHMw4FHlovrkmMvNhMGU2eUBiwgJwQhSHl4E07gJwsi+x4ZuT9gRSNLVL/7vH69jMqeDyF4J4WxHc4ST80qwQKtDwLE62FNJkXzvOb6SwCP9QEzykqVCX3cy0BX26ZRSncImJjS/N+N6K54DJSlu5AlIBCXPr/XHCb1aakrS/jJIO2kiMtnF8Cm1aNX+pnzLGrdFOTVfVctZWTrkkfRaSWOXpq5WXDnzcFCJSn4dF7KSNa6Q2FB6qziEQ51ONTPJI0JfvBDLZ/HNoLBE9ICRv9ItsX1MjVH3kcYJunoK8N4ie4iBm7EvVvw9OdZvNzM4VH5BApOZ5LGSV5qx2Br+k5H73LDuVtfLMcJHdmCBmkLwYBLUGixWyI11lfxsLd5Nkes3odw3sxx7wsaOzX5EOCz2st/dRiXuJK+df3FUXB4lUFaPgvGIlEwCdG7G1lKq9tXmcuP8lZxd/OVPJq7AP67SGvaLyOFnKSdBhjMdiSdMYW/8DEuhP3QsqpcHdKitFfpBgo5E7msyl3jnA2w==

configmap-sealedsecret.yaml

{{- if .Values.sealedSecret.enabled -}}
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  annotations:
    {{- tpl ( toYaml .Values.sealedSecret.annotations ) . | nindent 4 }}
  name: {{ include "rstudio-workbench.fullname" . }}-secret
  namespace: {{ $.Release.Namespace }}
spec:
  encryptedData:
    {{- include "rstudio-library.config.ini" .Values.config.secret | nindent 4 }}
    launcher.pem: |
      {{- include "rstudio-workbench.launcherPem" . | nindent 6 }}
    secure-cookie-key: |
      {{- include "rstudio-workbench.secureCookieKey" . | nindent 6 }}
  template:
    data:
      {{- if .Values.launcherPub }}
      # TODO: would ideally be able to generate launcher.pub as well
      launcher.pub: |
        {{- .Values.launcherPub | nindent 10 }}
      {{- end }}
---
{{- if .Values.config.userProvisioning }}
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  annotations:
    {{- tpl ( toYaml .Values.sealedSecret.annotations ) . | nindent 4 }}
  name: {{ include "rstudio-workbench.fullname" . }}-user
  namespace: {{ $.Release.Namespace }}
spec:
  encryptedData:
    {{- include "rstudio-library.config.ini" .Values.config.userProvisioning | nindent 4 }}
{{- end }}
{{- end }}

The text was updated successfully, but these errors were encountered:

colearendt · 2023-05-20T00:57:30Z

This sounds great! We also discussed:

removing a few default values that are problematic for hybrid typing (i.e. allowing a string or a map)
implementing for Workbench first, and then pivoting to the other charts

wmcdona89 mentioned this issue May 31, 2023

[workbench] support Sealed Secrets #384

Merged

colearendt closed this as completed in #384 Jun 21, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

support use of SealedSecrets #374

support use of SealedSecrets #374

wmcdona89 commented May 11, 2023 •

edited

colearendt commented May 20, 2023

support use of SealedSecrets #374

support use of SealedSecrets #374

Comments

wmcdona89 commented May 11, 2023 • edited

values

configmap-sealedsecret.yaml

colearendt commented May 20, 2023

wmcdona89 commented May 11, 2023 •

edited