[Video Course][Siddharth Barahalikar] FluxCD 101 with Hands-On Labs [ENG, 2023][~5h 45m]


Bitnami Sealed


02. DEMO - Setup Bitnami Sealed


$ flux create kustomization infra-security-kustomize-git-sealed-secrets \
  --source GitRepository/infra-source-git \
  --prune true \
  --interval 1h \
  --path ./bitnami-sealed-secrets \
  --export > infra-security-kustomize-git-sealed-secrets.yaml


commit / push


$ flux reconcile source git flux-system



$ kubectl -n kube-system get all



$ kubectl -n kube-system get secret
NAME                      TYPE                            DATA   AGE
bootstrap-token-l3do97    bootstrap.kubernetes.io/token   6      11h
sealed-secrets-keyxkmnn   kubernetes.io/tls               2      64s


Установка kubeseal


// Выдаст public / private keys
$ kubectl -n kube-system get secret sealed-secrets-keyxkmnn -o yaml



// Выведет публичный ключ в консоль
$ kubeseal \
  --fetch-cert \
  --controller-name sealed-secrets-controller \
  --controller-namespace kube-system



$ kubeseal \
  --fetch-cert \
  --controller-name sealed-secrets-controller \
  --controller-namespace kube-system > sealed-secret.pub


03. DEMO - EncryptDecrypt Secret using Bitnami Sealed Secrets


// Отключаем, чтобы не переосздавался
$ flux suspend kustomization infra-database-kustomize-git-mysql
$ flux get kustomizations infra-database-kustomize-git-mysql



// Удаляем secret
$ kubectl -n database delete secrets secret-mysql



$ kubectl -n database get po,secrets,deploy
NAME                         READY   STATUS    RESTARTS        AGE
pod/mysql-5775767668-n2lql   1/1     Running   1 (6h28m ago)   12h

NAME                    READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/mysql   1/1     1            1           12h



$ kubectl -n database rollout restart deployment mysql



$ kubectl -n database describe pod mysql-77467b595-5wmmc
***
Failed *** Error: secret "secret-mysql" not found
***



$ cd ~/projects/dev/fluxcd/bb-app-source/infrastructure/database
$ kubeseal -o yaml --scope cluster-wide \
  --cert /home/marley/projects/dev/fluxcd/block-buster/clusters/my-cluster/sealed-secret.pub < secret-mysql.yaml > sealed-secret-mysql.yaml



$ rm secret-mysql.yaml


commit / push


$ flux reconcile source git flux-system
$ flux resume kustomization infra-database-kustomize-git-mysql



$ kubectl -n database get secrets
NAME           TYPE     DATA   AGE
secret-mysql   Opaque   1      11s



$ kubectl -n database get secrets secret-mysql -o json | jq .data.password -r
$ kubectl -n database get secrets secret-mysql -o json | jq .data.password -r | base64 -d
mysql-password-0123456789



// OK!
http://192.168.49.2:30008/