onechart/website/docs/examples/secrets.md at 365544204cef1927d079abaadabf5d2000c2f378

Archived

This repository has been archived on 2024-12-15. You can view files and clone it. You cannot open issues or pull requests or push a commit.

Files

T

Laszlo Fogas 8e52597ae4 Cluster wide sealed secrets are the default. RBAC should protect secrets

2020-12-01 12:46:11 +01:00

1.5 KiB

Raw Blame History

Since secrets demand a distinct workflow, OneChart will not generate a Kubernetes Secret object, but can reference one.

OneChart can reference an existing Kubernetes Secret and it includes all entries in the deployment with the EnvFrom field.

The secret name must match the release name. my-release in this example.

image:
  repository: nginx
  tag: 1.19.3

secret:
  enabled: true

Check the Kubernetes manifest:

cat << EOF > values.yaml
image:
  repository: nginx
  tag: 1.19.3

secret:
  enabled: true
EOF

helm template my-release onechart/onechart -f values.yaml

Using encrypted secret values

OneChart can be used with Bitnami's Sealed Secrets, and it generates a SealedSecret resource that can be stored even in git.

image:
  repository: nginx
  tag: 1.19.3

sealedSecrets:
  secret1: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq...
  secret2: ewogICJjcmVk...

Where you have to generate the encrypted values

either one-by-one with Sealed Secrets "raw" workflow:

echo -n my-secret-value | kubeseal --raw --scope cluster-wide --from-file=/dev/stdin

or with the Gimlet CLI:

# Fetch the keys first
kubeseal --fetch-cert > sealing-key.pub
# Seal all secrets in one go
gimlet seal -p sealedSecrets -k sealingKey.pub -f values.yaml -o sealed-valeus.yaml

1.5 KiB Raw Blame History

Using encrypted secret values

1.5 KiB

Raw Blame History