Cluster wide sealed secrets are the default. RBAC should protect secrets

2020-12-01 12:38:38 +01:00
parent 898316874e
commit 8e52597ae4
7 changed files with 52 additions and 33 deletions
@@ -15,4 +15,4 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.0
+version: 0.10.0
@@ -6,6 +6,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "helm-chart.labels" . | nindent 4 }}
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: "true"
 spec:
  encryptedData:
  {{- range $key, $val := .Values.sealedSecrets }}
@@ -2,17 +2,17 @@ apiVersion: v1
 entries:
  cron-job:
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.143571731+01:00"
+    created: "2020-12-01T12:38:05.03132776+01:00"
    description: One chart to rule them all. A generic Helm chart for your application
      deployments. Because no-one can remember the Kubernetes yaml syntax.
-    digest: 3c91e1c3eb6bfb06052a4776d71180205904baab29f860b7d93d3b00f148c26f
+    digest: 7cbeb63cb5cb8b44e1c5cdc030ea3203134191e821e4e8aef237162537a1846f
    name: cron-job
    type: application
    urls:
    - https://chart.onechart.dev/cron-job-0.1.2.tgz
    version: 0.1.2
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.143339967+01:00"
+    created: "2020-12-01T12:38:05.030710489+01:00"
    description: One chart to rule them all. A generic Helm chart for your application
      deployments. Because no-one can remember the Kubernetes yaml syntax.
    digest: afab9ba533a4686827b54b0dad64f5bbf76f7fbc075e35fb1034689db9ab9dda
@@ -22,7 +22,7 @@ entries:
    - https://chart.onechart.dev/cron-job-0.1.1.tgz
    version: 0.1.1
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.143014448+01:00"
+    created: "2020-12-01T12:38:05.030371285+01:00"
    description: One chart to rule them all. A generic Helm chart for your application
      deployments. Because no-one can remember the Kubernetes yaml syntax.
    digest: 01f9fa40c1c4085d7688474ab00c9e9d21bd1d0793db6b75f2edda0e18456282
@@ -33,16 +33,16 @@ entries:
    version: 0.1.0
  namespaces:
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.144265562+01:00"
+    created: "2020-12-01T12:38:05.032406957+01:00"
    description: Chart to create namespaces and their defaults
-    digest: 1048347a4ce7acfada2c021fc85e4234206e611cc243797e5beb1e9a09bd2e69
+    digest: 872a08fa09342e43a4fac6deaa005fa0d515766e835518faf661120d8aacf170
    name: namespaces
    type: application
    urls:
    - https://chart.onechart.dev/namespaces-0.2.0.tgz
    version: 0.2.0
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.143901699+01:00"
+    created: "2020-12-01T12:38:05.032070183+01:00"
    description: Chart to create namespaces and their defaults
    digest: 88b06d78a9d1bda6f2ee15b1fad7f25399ac25c2320fb9a8dfa1a4fd14afdf6e
    name: namespaces
@@ -52,7 +52,17 @@ entries:
    version: 0.1.0
  onechart:
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.15148951+01:00"
+    created: "2020-12-01T12:38:05.033806128+01:00"
+    description: One chart to rule them all. A generic Helm chart for your application
+      deployments. Because no-one can remember the Kubernetes yaml syntax.
+    digest: 40f1166e858d35cb237debd1390187884641b0e8c29a80aaa195b66b0ee73516
+    name: onechart
+    type: application
+    urls:
+    - https://chart.onechart.dev/onechart-0.10.0.tgz
+    version: 0.10.0
+  - apiVersion: v2
+    created: "2020-12-01T12:38:05.041050012+01:00"
    description: One chart to rule them all. A generic Helm chart for your application
      deployments. Because no-one can remember the Kubernetes yaml syntax.
    digest: cb42b08b463b401f6718bba7c171ee55c173021c5101ea1b3068ef3899a6e164
@@ -62,7 +72,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.9.0.tgz
    version: 0.9.0
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.151044103+01:00"
+    created: "2020-12-01T12:38:05.040530715+01:00"
    description: One chart to rule them all. A generic Helm chart for your application
      deployments. Because no-one can remember the Kubernetes yaml syntax.
    digest: ce046d209a9e8fa07766712492cc896451473fafca129dbc9c675107d0e39c52
@@ -72,7 +82,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.8.2.tgz
    version: 0.8.2
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.150612415+01:00"
+    created: "2020-12-01T12:38:05.039447304+01:00"
    description: One chart to rule them all. A generic Helm chart for your application
      deployments. Because no-one can remember the Kubernetes yaml syntax.
    digest: 422d7e6ea1bed530d4cd5e23417b229772a6fe2e835828ca282a3e6c9b646b2b
@@ -82,7 +92,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.8.1.tgz
    version: 0.8.1
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.150165139+01:00"
+    created: "2020-12-01T12:38:05.038689991+01:00"
    description: One chart to rule them all. A generic Helm chart for your application
      deployments. Because no-one can remember the Kubernetes yaml syntax.
    digest: 8001bd02fc90ad66da7941c136ee8d0e665ea90b6e1ac27d82b048f2b12b3964
@@ -92,7 +102,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.8.0.tgz
    version: 0.8.0
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.149696206+01:00"
+    created: "2020-12-01T12:38:05.038138666+01:00"
    description: One chart to rule them all. A generic Helm chart for your application
      deployments. Because no-one can remember the Kubernetes yaml syntax.
    digest: d1454b430eb7131d0d450f7c0a8a6698278893c61e03d48649a8112dfcf42b72
@@ -102,7 +112,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.7.1.tgz
    version: 0.7.1
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.149271676+01:00"
+    created: "2020-12-01T12:38:05.037677591+01:00"
    description: One chart to rule them all. A generic Helm chart for your application
      deployments. Because no-one can remember the Kubernetes yaml syntax.
    digest: 4bf90835f287917671ec40b5b395da9332cf18e70f248d250f8d5a72360dcb4e
@@ -112,7 +122,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.7.0.tgz
    version: 0.7.0
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.148871501+01:00"
+    created: "2020-12-01T12:38:05.037163427+01:00"
    description: One chart to rule them all. A generic Helm chart for your application
      deployments. Because no-one can remember the Kubernetes yaml syntax.
    digest: 0cade489fc74a040f5e7f71d01c6fa00d3f68b4752a4d8234ccf2c1504b4c0a1
@@ -122,7 +132,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.6.1.tgz
    version: 0.6.1
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.148528377+01:00"
+    created: "2020-12-01T12:38:05.036792413+01:00"
    description: One chart to rule them all. A generic Helm chart for your application
      deployments. Because no-one can remember the Kubernetes yaml syntax.
    digest: d607820a7e104eaaa88c153c1f2f7f409ef4c612ad747caeb3a671cf3fce03d4
@@ -132,7 +142,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.6.0.tgz
    version: 0.6.0
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.148156511+01:00"
+    created: "2020-12-01T12:38:05.036435989+01:00"
    description: One chart to rule them all. A generic Helm chart for your application
      deployments. Because no-one can remember the Kubernetes yaml syntax.
    digest: ddf7cf87402095d62855898744b805115fdf86c4b295e0a4def0c50408fd9138
@@ -142,7 +152,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.5.1.tgz
    version: 0.5.1
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.147778601+01:00"
+    created: "2020-12-01T12:38:05.03605146+01:00"
    description: One chart to rule them all. A generic Helm chart for your application
      deployments. Because no-one can remember the Kubernetes yaml syntax.
    digest: adf3c2cf3a27e58ec75620599e0e1c2031a7410a061a590317beeff6d8a9ad69
@@ -152,7 +162,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.5.0.tgz
    version: 0.5.0
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.147427292+01:00"
+    created: "2020-12-01T12:38:05.035627433+01:00"
    description: One chart to rule them all. A generic Helm chart for your application
      deployments. Because no-one can remember the Kubernetes yaml syntax.
    digest: 8dab33263c4e632aeb4656c666871440b589497b70e76a1d6c3a5e3db1a30bba
@@ -162,7 +172,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.4.0.tgz
    version: 0.4.0
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.147079605+01:00"
+    created: "2020-12-01T12:38:05.035179337+01:00"
    description: A generic Helm chart for your application deployments
    digest: fbaf6139e0ef8ad9a87cc1e41a97c7d25fdcf7ea17fa6364952f1a851a87480a
    name: onechart
@@ -171,7 +181,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.3.2.tgz
    version: 0.3.2
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.146740099+01:00"
+    created: "2020-12-01T12:38:05.034780366+01:00"
    description: A generic Helm chart for your application deployments
    digest: bd6f5b1865ab9b05fc6925c163ab8045235bd2723dba31f09d5083d24322d1f8
    name: onechart
@@ -180,7 +190,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.3.1.tgz
    version: 0.3.1
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.146399972+01:00"
+    created: "2020-12-01T12:38:05.034464535+01:00"
    description: A generic Helm chart for your application deployments
    digest: c79cef21eceab948144a289298cdf1e20e77a0782a883d7d65f9e709ccbbc271
    name: onechart
@@ -189,7 +199,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.3.0.tgz
    version: 0.3.0
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.146083523+01:00"
+    created: "2020-12-01T12:38:05.034124933+01:00"
    description: A generic Helm chart for your application deployments
    digest: dd814ac5d08d5e6163a1b769df6803f5cb0f09d906045086dfcc5be522bb1ec3
    name: onechart
@@ -198,7 +208,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.2.0.tgz
    version: 0.2.0
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.145383605+01:00"
+    created: "2020-12-01T12:38:05.033415409+01:00"
    description: A generic Helm chart for your application deployments
    digest: e46062df8053840cbfbba26c0a66a843a79f15a0b43a145ed019327513bd5098
    name: onechart
@@ -207,7 +217,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.1.2.tgz
    version: 0.1.2
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.144910335+01:00"
+    created: "2020-12-01T12:38:05.033087374+01:00"
    description: A generic Helm chart for your application deployments
    digest: a7bbc8b7dcc008e89156cd1830282b7d39c0592e82ccdcefb77a25a42eca2a3d
    name: onechart
@@ -216,7 +226,7 @@ entries:
    - https://chart.onechart.dev/onechart-0.1.1.tgz
    version: 0.1.1
  - apiVersion: v2
-    created: "2020-11-17T13:12:53.144588352+01:00"
+    created: "2020-12-01T12:38:05.032767863+01:00"
    description: A generic Helm chart for your application deployments
    digest: 1ed8c0645abdae6c950526e9c5410dc056847a11700dc7def5f1c55eb7de0cd4
    name: onechart
@@ -224,4 +234,4 @@ entries:
    urls:
    - https://chart.onechart.dev/onechart-0.1.0.tgz
    version: 0.1.0
-generated: "2020-11-17T13:12:53.142559729+01:00"
+generated: "2020-12-01T12:38:05.029746468+01:00"
@@ -42,12 +42,19 @@ sealedSecrets:
  secret2: ewogICJjcmVk...
 ```

-Where you have to generate the encrypted values with [Sealed Secrets "raw" workflow](https://github.com/bitnami-labs/sealed-secrets#raw-mode-experimental):
+Where you have to generate the encrypted values 
+
+- either one-by-one with [Sealed Secrets "raw" workflow](https://github.com/bitnami-labs/sealed-secrets#raw-mode-experimental):

 ```bash
-echo -n my-secret-value | kubeseal \
-  --raw \
-  --from-file=/dev/stdin \
-  --namespace bar \
-  --name my-release
+echo -n my-secret-value | kubeseal --raw --scope cluster-wide --from-file=/dev/stdin
+```
+
+- or with the [Gimlet CLI](https://github.com/gimlet-io/gimlet-cli):
+
+```
+# Fetch the keys first
+kubeseal --fetch-cert > sealing-key.pub
+# Seal all secrets in one go
+gimlet seal -p sealedSecrets -k sealingKey.pub -f values.yaml -o sealed-valeus.yaml
 ```