Create sealed secret documentation

spack · Apr 20, 2023 · 3bf19e1 · 3bf19e1
1 parent 590892e
commit 3bf19e1
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -9,6 +9,28 @@ services, including:
 
 Why isn't my GitLab CI pipeline running yet? Please see our [Deferred Pipelines Documentation](docs/deferred_pipelines.md)
 
+## Secret Management
+
+The kubernetes cluster makes use of [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets), and as such, requires specific steps to be taken in order to create/update secrets.
+
+Sealed secrets are publicly defined encrypted secrets that can only be decrypted within the cluster. Once `SealedSecret` resources are applied to the cluster, the sealed secret controller unseals them, creating a regular secret (same name and namespace) containing the decrypted data.
+
+### Creating a new secret
+To create a new secret, simply copy and un-comment the SealedSecret template (`k8s/production/sealed-secrets/sealed-secret-template.yaml`), or any other existing SealedSecret definition, to the intended file. Convention is to name the file containing your new sealed secrets to be named `sealed-secrets.yaml`.
+
+### Updating a secret
+Once you have a file containing one or more SealedSecret resources, you'll need to add/update its values. To do so, a helper script has been created, which takes the secret file as an argument. It can be used as followed:
+
+```
+./scripts/secrets.py k8s/**/sealed-secrets.yaml
+```
+
+This will prompt you to select the specific secret you want to modify (if several are defined), and which key within the secret's data you want to update (or create a new entry). This prompts you to enter the raw unencrypted value into your shell, which will be sealed, base64 encoded and placed into the file. Comments in the secrets file are not affected by the script, and are encouraged.
+
+Sealed Secrets are *write only*, and as such, cannot be read directly from the definitions in this repository. However, if you have cluster access, you can read the secret value from the cluster.
+
+**Note**: Due to logistical issues with retrieving it on demand, the public certificate is stored in this repository under `k8s/production/sealed-secrets/cert.pem`. This is the *public* part of the public/private key pair, and is **not** sensitive information. The secrets scripts will use this certificate automatically, but if there is ever a need to use a *different* certificate, it can be set with the `SEALED_SECRETS_CERT` environment variable.
+
 ## Restoring from Backup
 
 - Delete the persistent volume (PV) and persistent volume claim (PVC) for the old volume that's being replaced.

diff --git a/k8s/production/sealed-secrets/sealed-secret-template.yaml b/k8s/production/sealed-secrets/sealed-secret-template.yaml
@@ -0,0 +1,18 @@
+# apiVersion: bitnami.com/v1alpha1
+# kind: SealedSecret
+# metadata:
+#   name: mysecret
+#   namespace: mynamespace
+#   # Annotations on the SealedSecret resource, not the unsealed Secret resource
+#   annotations:
+#     foo: bar
+# spec:
+#   encryptedData:
+#     foo: bar
+#   template:
+#     # This is an example of labels and annotations that will be added to the output secret
+#     metadata:
+#       labels:
+#         foo: bar
+#       annotations:
+#         foo: bar