GitHub - dschniepp/sealit: sealit is a CLI which provides an opinionated way for GitOps based on Bitnami's "Sealed Secrets" for Kubernetes and Helm Charts.

4 min read Original article ↗

sealit

Heads Ups sealit is still in development and some features are missing.

sealit is a CLI which provides an opinionated way of doing GitOps based on Bitnami's "Sealed Secrets" for Kubernetes and Helm Charts.

Getting started

  1. Download the latest release from https://github.com/dschniepp/sealit/releases.
  2. Install sealed secrets via helm on your K8s cluster https://github.com/bitnami-labs/sealed-secrets/tree/main/helm/sealed-secrets
  3. Run sealit init next to your environment specific values.yaml of your helm chart
  4. Change the configuration file .sealit.yaml according to your needs
  5. Run sealit seal to encrypt all secrets. Review if your secrets are encrypted otherwise tweak your config file again.
  6. Create a SealedSecret resource (sealit template) inside your Helm Chart and reference the secrets from the values.yaml similar to {{ .Values.env.your_secret | trimPrefix "ENC:" }}
  7. Now you can securely commit your secrets and deploy your application based on your git repository, to Kubernetes

In the example folder you can find a working solution and structure for using sealit, Sealed Secrets and Helm Charts.

Commands

sealit help

sealit help shows an overview over all commands and flags.

sealit init

sealit init creates a sample .sealit.yaml configuration file.

sealit reseal

sealit reseal reseals all files. This is only working with Kubernetes as cert source.

sealit seal

sealit seal seals all files according to the rules defined in the .sealit.yaml.

sealit template

sealit template echos a SealedSecret Kubernetes resource, with parameter file the output will be saved at the referenced location.

sealit verify

sealit seal verifies of all secrets in the respective files are sealed according to the rules defined in the .sealit.yaml. This command can be used in the githooks, to prevent committing not encrypted files.

Configuration

The default name of the configuration files is .sealit.yaml. The filename can be overwritten by setting the --config flag. A sample configuration file can be created via sealit init.

sealingRules:
  - fileRegex: \.dev\.yaml$ # Regex pattern for which files this rules are applied
    name: secret # Name of the future secret
    namespace: default # Namespace of the future secret
    secretsRegex: (password|pin)$ # Regex of the key names which should be encrypted
    cert:
        maxAge: 720h0m0s
        sources:
          kubernetes:
              context: KubeContextName
              name: sealed-secrets
              namespace: kube-system
          url: https://example.org
          path: cert.pem

Cert locations and age

The public cert can be fetched from different locations. Independent from the way of fetching the cert the maxAge is provided.

Maximum cert age

maxAge is used to check the age of the cert based on the Valid after date. In case the cert is older or the --fetch-cert flag is provided, a new cert is fetched. Otherwise the cert from the meta field within the values.yaml file is used for the encryption.

Local cert file

sealingRules:
  - ...
    cert:
        ...
        sources:
            ...
            path: "cert.pem"

Remote cert file

sealingRules:
  - ...
    cert:
        ...
        sources:
            ...
            url: https://localhost:8080/cert.pem

Remote cert from Kubernetes

sealingRules:
  - ...
    cert:
        ...
        sources:
            ...
            kubernetes:
                context: KubeContextName
                name: sealed-secrets
                namespace: kube-system

Prevent committing not encrypted files

Create a pre-commit hook in git which runs sealit verify.

Limitations and scope

sealit is an alternative cli to kubeseal which is part of Bitnami's Sealed Secrets. Therefore sealit requires the Sealed Secret controller already installed on the cluster, this can be done via the helm chart. The crypto part as well as the sealing principles are from Sealed Secrets.

Development

For development git, >= go1.14, make, access to a K8s cluster and Helm is required.

Clone the repository via git clone https://github.com/dschniepp/sealit.git to continue with one of the following steps.

Run sealit

make run

Run tests

make test

Build application

Locally the application can be build via make build and will populate the binary to the dist folder.

Releases on GitHub are build and published via goreleaser and a GitHub Actions.

Contribute

Thank you for considering contributing to the sealit! Before contributing, please be sure to read the Contribution Guide.

Code of Conduct

In order to ensure that the community is welcoming to all, please review and abide by the Code of Conduct.

Security

If you discover a vulnerabilities within sealit, please send an e-mail to Daniel Schniepp via d.schniepp@indale.com

Credits

Thanks to the awesome work of the people behind SOPS and Sealed Secrets. sealit is heavily influenced by there ideas.

License

sealit is open-sourced software licensed under the MIT license.