New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manage secrets with sealed secrets #462
Conversation
05e1f75
to
058311b
Compare
Waiting to merge this until #404 is merged. I'll then rebase this off of that and deal with conflicts, as well as configure staging, since staging isn't currently covered by this PR. UPDATE: This has been completed. |
3bf19e1
to
187d6a8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, although i haven't tested it.
Should we disable flux in production, merge this, and re-enable it when we're sure it works ok in staging? I'm not sure the best way to test all of this tbh, unless you've already done so. |
Just to clarify, I have already tested this to the best of my ability by doing the following:
I'm still happy to do a test in staging first, but I don't think it'll really be testing what we care about, since the staging cluster uses a different key pair, and doesn't contain most of the secrets we're encoding here. Essentially what I'm saying is, I think the most meaningful test is verifying that we've sealed all of the existing secret data correctly, which I've done to the best of my knowledge. |
Agreed, sounds like you've tested this reasonably so I think it's good to merge 👍 |
48ef38e
to
a05798f
Compare
Currently, secrets are managed in an ad-hoc way, where the secret is created in the cluster, and then added here in a completely commented file named
secrets-dummy
, purely for reference. Sealed Secrets provide a way for us to securely commit our secrets into our codebase, without the need for any workarounds.This PR consists of the following:
SealedSecret
resource defintions for all of the secrets which had asecrets-dummy
file committed. These contain the encrypted data pulled from the live clusterFor all of the secrets encoded in the
sealed-secrets.yaml
files included in this PR, I've added the"sealedsecrets.bitnami.com/managed" = "true"
annotation, which will allow this change to take effect correctly.