TL;DR
Sealed Secrets and techniques can works completely effectively with Argo CD. It is among the best secret managment approachs that you need to contemplate.
The identical thought can apply to each Helm, Kustomize or different GitOps instruments.
Introduction
There is no such thing as a golden normal about secret administration in Argo CD. As an alternative, Argo CD simply supplies you a listing of options right here and you must assume it your self.
Though I opt-in for Sealed Secrets and techniques, I additionally need to present you why you need to use it as a substitute of simply telling you to make use of it.
To reply why, we want to consider two questions.
The place to retailer your secret?
Though there are lots of options obtainable, mainly there are simply two methods to retailer secrets and techniques, i.e. retailer in secret administration platforms or git repositories.
Secret administration platform strategy
I do not want to make use of secret administration platforms.
It doesn’t matter what platform you employ, it will not be K8S native as a result of the platform lives outdoors of your cluster. You at all times wants to put in some plugins in your Kubernetes clusters to learn the secrets and techniques out of your platform .
When you opt-in for this strategy, you must handle the platforms, plugins and integrating all the pieces collectively. It introduces an excessive amount of complexity and we all know that complexity means extra errors, bugs, human errors…
Git repository strategy
Alternatively, this strategy is tremendous straightforward to make use of and handle. You possibly can add encrypted secrets and techniques collectively along with your Kubernetes manifests to your repository. Then Argo CD will decrypt the key when it syncs your utility.
Though you continue to want some form of plugins to decrypt the key, I’ll present you Sealed Secrets and techniques makes the entire course of tremendous easy and K8S native.
The way to ingest your secret?
Now we’re shifting ahead to git repository strategy. Allow us to evaluate what options can be found collectively.
Helm Secrets and techniques
To most individuals who use Helm, Helm Secrets and techniques is a well-liked alternative. Customers can encrypt values recordsdata after which Argo CD can decrypt these recordsdata accordingly.
Nonetheless it’s too difficult to me.
To start with, to combine Helm Secrets and techniques with ArgoCD, you must do sure modifications, which you’ll see their tutoral. Once more these complexities are dangerous in your operation.
Furthermore, we won’t merely keep away from somebody dedicated unencrypted secret values recordsdata as these recordsdata are regular YAML recordsdata. Folks at all times make errors and you must at all times assume that they may do each doable factor.
Lastly, we all know that ArgoCD enable us to specify a number of values recordsdata. So now you bought a set of values recordsdata and encrypted values recordsdata. The way to inform there isn’t a unintended worth overriding problem occur? Ideally, we need to keep away from decrypting secrets and techniques recordsdata however now we could have to take action.
Sealed Secrets and techniques
Now we begin to enter the principle subject. Sealed Secrets and techniques is definitely a basic utilization secret administration resolution. Even in case you do not use Argo CD, you may also use it to encrypt secrets and techniques.
The utilization may be very easy.
- If you set up Sealed Secrets and techniques to your cluster, it creates a controller that manages a RSA certificates internally.
- You then use
kubeseal
utility to encrypt Secret assets to SealedSecret assets. - Lastly you simply to use these SealedSecret assets and the controller will decrypt it as Secret assets.
# Pattern utilization
echo -n bar | kubectl create secret generic mysecret --dry-run=shopper --from-file=foo=/dev/stdin > mysecret.yaml
kubeseal --format yaml -f mysecret.yaml > mysealedsecret.yaml
kubectl create -f mysealedsecret.yaml
Sealed Secrets and techniques has many benefits.
Firstly, all the pieces is K8S native. SealedSecret assets is only a Customized Useful resource and Sealed Secrets and techniques lets you generate it. You simply have to configure your Secret assets and reference these Secrets and techniques assets as usua;.
Secondly, committing Secret assets will be prevented by setting pre-commit hook. There is no such thing as a excuse of committing secrets and techniques accidentically anymore.
Thirdly, you don’t want to decrypt these Sealed Secrets and techniques assets as a consequence of worth overriding problem, evaluating to Helm Secrets and techniques. Secrets and techniques stays to be secrets and techniques.
Lastly, you’ll be able to deliver you personal key. I discover it’s fairly helpful as a result of you’ll be able to share the identical secret to a number of clusters to eat.
The way to use Sealed Secrets and techniques with Argo CD?
In case you are conversant in Argo CD, it solely means that you can set values or values recordsdata.
Certainly, Argo CD documentation has proven a touch in Cluster Bootstrapping part. As an alternative of utilizing App Of Apps Sample, now we’re utilizing App of App Sample, i.e. create a proxy chart to reference a goal chart.
# Instance proxy chart
├── Chart.yaml
├── templates
│ └── sealed-secret.yaml
└── values.yaml
Contained in the Chart.yaml, you specify the goal chart within the dependency part. You then put all of the SealedSecret assets to the templates folder.
One other benefit of utilizing App of App Sample is that it could actually naturally implement separation of helm charts and config recordsdata.
In Argo CD, these values recordsdata should be saved in the identical repository with the Helm charts. It’s violating the most effective follow, as defined by Argo CD documentation itself.
So ideally, you’ll setup at the very least two repositories, which makes utilizing proxy charts a pure transfer.
Base charts repository
All of your goal charts retailer in right here and ArgoCD wants to tug helm charts from right here.
Proxy charts repository
That is the place Argo CD sync along with your desired utility state.
Though you would possibly really feel proxy charts is overhead, it’s a very helpful approach. Generally if you wish to customise the chart however instantly modify the bottom chart just isn’t a great resolution (possibly you’re referencing a public chart), then you should use this method to tailored your chart.
There are a lot of extra methods you are able to do with this sample, let say in some instances you need to share the identical secret to a number of deployments, you are able to do one thing like this.
# Possibly you need to reuse the identical database credential for deployments in all areas?
├── Chart.yaml
├── templates
│ └── sealed-secret.yaml
├── region-a-values.yaml
└── region-b-values.yaml
Train
I’ve setup a minimal setup so that you can expertise my strategy.
You possibly can checkout my repository https://github.com/timtsoitt/argocd-configs and comply with the directions.
Conclusion
Whereas there isn’t a one dimension match all footwear resolution, maintain issues as easy is at all times a greatest follow. Somewhat than introducing many instruments and procedures, Sealed Secret allow you to handle your secrets and techniques in essentially the most easiest type.
Personally I imagine my strategy can match a lot of the use instances. If in case you have any concepts or questions, free really feel to remark right here.
Additionally in case you like this text, please like, bookmark and share it 🙂