Awesome
sealit
Heads Ups sealit is still in development and some features are missing.
sealit is a CLI which provides an opinionated way of doing GitOps based on Bitnami's "Sealed Secrets" for Kubernetes and Helm Charts.
Getting started
- Download the latest release from https://github.com/dschniepp/sealit/releases.
- Install sealed secrets via
helmon your K8s cluster https://github.com/bitnami-labs/sealed-secrets/tree/main/helm/sealed-secrets - Run
sealit initnext to your environment specific values.yaml of your helm chart - Change the configuration file
.sealit.yamlaccording to your needs - Run
sealit sealto encrypt all secrets. Review if your secrets are encrypted otherwise tweak your config file again. - Create a
SealedSecretresource (sealit template) inside your Helm Chart and reference the secrets from thevalues.yamlsimilar to{{ .Values.env.your_secret | trimPrefix "ENC:" }} - Now you can securely commit your secrets and deploy your application based on your git repository, to Kubernetes
In the example folder you can find a working solution and structure for using sealit, Sealed Secrets and Helm Charts.
Commands
sealit help
sealit help shows an overview over all commands and flags.
sealit init
sealit init creates a sample .sealit.yaml configuration file.
sealit reseal
sealit reseal reseals all files. This is only working with Kubernetes as cert source.
sealit seal
sealit seal seals all files according to the rules defined in the .sealit.yaml.
sealit template
sealit template echos a SealedSecret Kubernetes resource, with parameter file the output will be saved at the referenced location.
sealit verify
sealit seal verifies of all secrets in the respective files are sealed according to the rules defined in the .sealit.yaml.
This command can be used in the githooks, to prevent committing not encrypted files.
Configuration
The default name of the configuration files is .sealit.yaml.
The filename can be overwritten by setting the --config flag.
A sample configuration file can be created via sealit init.
sealingRules:
- fileRegex: \.dev\.yaml$ # Regex pattern for which files this rules are applied
name: secret # Name of the future secret
namespace: default # Namespace of the future secret
secretsRegex: (password|pin)$ # Regex of the key names which should be encrypted
cert:
maxAge: 720h0m0s
sources:
kubernetes:
context: KubeContextName
name: sealed-secrets
namespace: kube-system
url: https://example.org
path: cert.pem
Cert locations and age
The public cert can be fetched from different locations.
Independent from the way of fetching the cert the maxAge is provided.
Maximum cert age
maxAge is used to check the age of the cert based on the Valid after date.
In case the cert is older or the --fetch-cert flag is provided, a new cert is fetched.
Otherwise the cert from the meta field within the values.yaml file is used for the encryption.
Local cert file
sealingRules:
- ...
cert:
...
sources:
...
path: "cert.pem"
Remote cert file
sealingRules:
- ...
cert:
...
sources:
...
url: https://localhost:8080/cert.pem
Remote cert from Kubernetes
sealingRules:
- ...
cert:
...
sources:
...
kubernetes:
context: KubeContextName
name: sealed-secrets
namespace: kube-system
Prevent committing not encrypted files
Create a pre-commit hook in git which runs sealit verify.
Limitations and scope
sealit is an alternative cli to kubeseal which is part of Bitnami's Sealed Secrets.
Therefore sealit requires the Sealed Secret controller already installed on the cluster, this can be done via the helm chart.
The crypto part as well as the sealing principles are from Sealed Secrets.
Development
For development git, >= go1.14, make, access to a K8s cluster and Helm is required.
Clone the repository via git clone https://github.com/dschniepp/sealit.git to continue with one of the following steps.
Run sealit
make run
Run tests
make test
Build application
Locally the application can be build via make build and will populate the binary to the dist folder.
Releases on GitHub are build and published via goreleaser and a GitHub Actions.
Contribute
Thank you for considering contributing to the sealit! Before contributing, please be sure to read the Contribution Guide.
Code of Conduct
In order to ensure that the community is welcoming to all, please review and abide by the Code of Conduct.
Security
If you discover a vulnerabilities within sealit, please send an e-mail to Daniel Schniepp via d.schniepp@indale.com
Credits
Thanks to the awesome work of the people behind SOPS and Sealed Secrets. sealit is heavily influenced by there ideas.
License
sealit is open-sourced software licensed under the MIT license.