How can I use Sealed Secrets in my Replicated Kubernetes Application?


#1

I use the bitnami sealed secrets controller to manage secrets in my production Kubernetes environment. Does Replicated support Sealed Secrets? How can I deploy Sealed Secrets into my kubernetes application running in Replicated?


#2

One of the primary goals of Replicated is to unify the architectures of your SaaS app and your on-prem version.

Sealed secrets are great for production, as they enable you to safely store your secrets in git, alongside the rest of your manifests. When delivering an app to on-prem Kubernetes there’s three things to keep in mind:

  1. You shouldn’t be delivering any secrets from your app into your on-prem installs.
  2. Any instance specific configuration like database credentials, API keys, etc can be delivered via Config Options or License Fields
  3. All sensitive information for an on-prem instance will be stored securely in the instance, encrypted with a keypair that does not leave the instance.

With this in mind, the recommended workflow is to store core kubernetes manifests in a git repo, and use a tool like kustomize to manage patching your manifests for different environments. A rough mock-up of how this might work is shown below.

An example of a Secret you might add to your replicated yaml via the Vendor API might be

apiVersion: v1
kind: Secret
metadata:
  name: db-secret
stringData:
  DATABASE_PASSWORD: {{repl ConfigOption "db_password"}}