debian-mirror-gitlab/doc/user/clusters/agent/gitops/secrets_management.md

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

62 lines
3 KiB
Markdown
Raw Normal View History

2022-05-07 20:08:51 +05:30
---
stage: Configure
group: Configure
2022-11-25 23:54:43 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2022-05-07 20:08:51 +05:30
---
# Managing Kubernetes secrets in a GitOps workflow
You should never store Kubernetes secrets in unencrypted form in a `git` repository. If you use a GitOps workflow, you can follow these steps to securely manage your secrets.
1. Set up the Sealed Secrets controller to manage secrets.
1. Deploy Docker credentials so the cluster can pull images from the GitLab Container Registry.
## Prerequisites
This setup requires:
- A [GitLab agent for Kubernetes configured for the GitOps workflow](../gitops.md).
- Access to the cluster to finish the setup.
## Set up the Sealed Secrets controller to manage secrets
You can use the [Sealed Secrets controller](https://github.com/bitnami-labs/sealed-secrets) to store encrypted secrets securely in a `git` repository. The controller decrypts the secret into a standard Kubernetes `Secret` kind resource.
1. Go to [the Sealed Secrets release page](https://github.com/bitnami-labs/sealed-secrets/releases) and download the most recent `controller.yaml` file.
1. In GitLab, go to the project that contains your Kubernetes manifests and upload the `controller.yaml` file.
1. Open the agent configuration file (`config.yaml`) and if needed, update the `paths.glob` pattern to match the Sealed Secrets manifest.
1. Commit and push the changes to GitLab.
1. Confirm that the Sealed Secrets controller was installed successfully:
```shell
kubectl get pods -lname=sealed-secrets-controller -n kube-system
```
1. Install the `kubeseal` command line utility by following [the Sealed Secrets instructions](https://github.com/bitnami-labs/sealed-secrets#homebrew).
1. Get the public key you need to encrypt secrets without direct access to the cluster:
```shell
kubeseal --fetch-cert > public.pem
```
1. Commit the public key to the repository.
For more details on how the Sealed Secrets controller works, view [the usage instructions](https://github.com/bitnami-labs/sealed-secrets/blob/main/README.md#usage).
## Deploy Docker credentials
To deploy containers from the GitLab Container Registry, you must configure the cluster with the proper Docker registry credentials. You can achieve this by deploying a `docker-registry` type secret.
1. Generate a GitLab token with at least `read-registry` rights. The token can be either a Personal or a Project Access Token.
1. Create a Kubernetes secret manifest YAML file. Update the values as needed:
```shell
kubectl create secret docker-registry gitlab-credentials --docker-server=registry.gitlab.example.com --docker-username=<gitlab-username> --docker-password=<gitlab-token> --docker-email=<gitlab-user-email> -n <namespace> --dry-run=client -o yaml > gitlab-credentials.yaml
```
1. Encrypt the secret into a `SealedSecret` manifest:
```shell
kubeseal --format=yaml --cert=public.pem < gitlab-credentials.yaml > gitlab-credentials.sealed.yaml
```