Your Web News in One Place

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
June 11, 2022 08:51 am GMT

Argo CD and Sealed Secrets is a perfect match

TL;DR

Sealed Secrets can works perfectly well with Argo CD. It is one of the very best secret managment approachs that you should consider.

The same idea can apply to both Helm, Kustomize or other GitOps tools.

Introduction

There is no golden standard about secret management in Argo CD. Instead, Argo CD just provides you a list of solutions here and you have to think it yourself.

Although I opt-in for Sealed Secrets, I also want to show you why you should use it instead of just telling you to use it.

To answer why, we need to think about two questions.

Where to store your secret?

Although there are many solutions available, basically there are just two ways to store secrets, i.e. store in secret management platforms or git repositories.

Secret management platform approach

I don't prefer to use secret management platforms.

No matter what platform you use, it won't be K8S native because the platform lives outside of your cluster. You always needs to install some plugins in your Kubernetes clusters to read the secrets from your platform .

If you opt-in for this approach, you have to manage the platforms, plugins and integrating everything together. It introduces too much complexity and we know that complexity means more errors, bugs, human mistakes...

Git repository approach

Alternatively, this approach is super easy to use and manage. You can upload encrypted secrets together with your Kubernetes manifests to your repository. Then Argo CD will decrypt the secret when it syncs your application.

Although you still need some kind of plugins to decrypt the secret, I will show you Sealed Secrets makes the whole process super simple and K8S native.

How to ingest your secret?

Now we are moving forward to git repository approach. Let us review what solutions are available together.

Helm Secrets

To most people who use Helm, Helm Secrets is a popular choice. Users can encrypt values files and then Argo CD can decrypt these files accordingly.

However it is too complicated to me.

First of all, to integrate Helm Secrets with ArgoCD, you have to do certain modifications, which you can see their tutoral. Again these complexities are bad for your operation.

Moreover, we can't simply avoid someone committed unencrypted secret values files as these files are normal YAML files. People always make mistakes and you have to always assume that they will do every possible thing.

Lastly, we know that ArgoCD allow us to specify multiple values files. So now you got a set of values files and encrypted values files. How to tell there is no unintended value overriding issue happen? Ideally, we want to avoid decrypting secrets files but now we may have to do so.

Sealed Secrets

Now we start to enter the main topic. Sealed Secrets is actually a general usage secret management solution. Even if you don't use Argo CD, you can also use it to encrypt secrets.

The usage is very simple.

  1. When you install Sealed Secrets to your cluster, it creates a controller that manages a RSA certificate internally.
  2. Then you use kubeseal utility to encrypt Secret resources to SealedSecret resources.
  3. Lastly you just to apply these SealedSecret resources and the controller will decrypt it as Secret resources.
# Sample usageecho -n bar | kubectl create secret generic mysecret --dry-run=client --from-file=foo=/dev/stdin > mysecret.yamlkubeseal --format yaml -f mysecret.yaml > mysealedsecret.yamlkubectl create -f mysealedsecret.yaml

Sealed Secrets has many advantages.

Firstly, everything is K8S native. SealedSecret resources is just a Custom Resource and Sealed Secrets helps you to generate it. You just need to configure your Secret resources and reference these Secrets resources as usua;.

Secondly, committing Secret resources can be avoided by setting pre-commit hook. There is no excuse of committing secrets accidentically anymore.

Thirdly, you do not need to decrypt these Sealed Secrets resources due to value overriding issue, comparing to Helm Secrets. Secrets remains to be secrets.

Lastly, you can bring you own key. I find it is quite useful because you can share the same secret to multiple clusters to consume.

How to use Sealed Secrets with Argo CD?

If you are familiar with Argo CD, you know it only allows you to set values or values files.

Indeed, Argo CD documentation has shown a hint in Cluster Bootstrapping section. Instead of using App Of Apps Pattern, now we are using App of App Pattern, i.e. create a proxy chart to reference a target chart.

# Example proxy chart Chart.yaml templates    sealed-secret.yaml values.yaml

Inside the Chart.yaml, you specify the target chart in the dependency section. Then you put all the SealedSecret resources to the templates folder.

Another advantage of using App of App Pattern is that it can naturally enforce separation of helm charts and config files.

In Argo CD, those values files need to be stored in the same repository with the Helm charts. It is violating the best practice, as explained by Argo CD documentation itself.

So ideally, you will setup at least two repositories, which makes using proxy charts a natural move.

Base charts repository
All your target charts store in here and ArgoCD needs to pull helm charts from here.

Proxy charts repository
This is where Argo CD sync with your desired application state.

Although you might feel proxy charts is overhead, it is a very useful technique. Sometimes if you want to customise the chart but directly modify the base chart is not an ideal solution (maybe you are referencing a public chart), then you can use this technique to tailor-made your chart.

There are many more tricks you can do with this pattern, let say in some cases you want to share the same secret to multiple deployments, you can do something like this.

# Maybe you want to reuse the same database credential for deployments in all regions? Chart.yaml templates    sealed-secret.yaml region-a-values.yaml region-b-values.yaml

Exercise

I have setup a minimal setup for you to experience my approach.

You can checkout my repository https://github.com/timtsoitt/argocd-configs and follow the instructions.

Conclusion

While there is no one size fit all shoes solution, keep things as simple is always a best practice. Rather than introducing many tools and procedures, Sealed Secret let you manage your secrets in the most simplest form.

Personally I believe my approach can fit most of the use cases. If you have any ideas or questions, free feel to comment here.

Also if you like this article, please like, bookmark and share it :)


Original Link: https://dev.to/timtsoitt/argo-cd-and-sealed-secrets-is-a-perfect-match-1dbf

Share this article:    Share on Facebook
View Full Article

Dev To

An online community for sharing and discovering great ideas, having debates, and making friends

More About this Source Visit Dev To