Heads Ups sealit is still in development and some features are missing.
sealit is a CLI which provides an opinionated way of doing GitOps based on Bitnami's "Sealed Secrets" for Kubernetes and Helm Charts.
- Download the latest release from https://github.com/dschniepp/sealit/releases.
- Install sealed secrets via
helm
on your K8s cluster https://github.com/bitnami-labs/sealed-secrets/tree/main/helm/sealed-secrets - Run
sealit init
next to your environment specific values.yaml of your helm chart - Change the configuration file
.sealit.yaml
according to your needs - Run
sealit seal
to encrypt all secrets. Review if your secrets are encrypted otherwise tweak your config file again. - Create a
SealedSecret
resource (sealit template
) inside your Helm Chart and reference the secrets from thevalues.yaml
similar to{{ .Values.env.your_secret | trimPrefix "ENC:" }}
- Now you can securely commit your secrets and deploy your application based on your git repository, to Kubernetes
In the example
folder you can find a working solution and structure for using sealit, Sealed Secrets and Helm Charts.
sealit help
shows an overview over all commands and flags.
sealit init
creates a sample .sealit.yaml
configuration file.
sealit reseal
reseals all files. This is only working with Kubernetes as cert source.
sealit seal
seals all files according to the rules defined in the .sealit.yaml
.
sealit template
echos a SealedSecret Kubernetes resource, with parameter file
the output will be saved at the referenced location.
sealit seal
verifies of all secrets in the respective files are sealed according to the rules defined in the .sealit.yaml
.
This command can be used in the githooks, to prevent committing not encrypted files.
The default name of the configuration files is .sealit.yaml
.
The filename can be overwritten by setting the --config
flag.
A sample configuration file can be created via sealit init
.
sealingRules:
- fileRegex: \.dev\.yaml$ # Regex pattern for which files this rules are applied
name: secret # Name of the future secret
namespace: default # Namespace of the future secret
secretsRegex: (password|pin)$ # Regex of the key names which should be encrypted
cert:
maxAge: 720h0m0s
sources:
kubernetes:
context: KubeContextName
name: sealed-secrets
namespace: kube-system
url: https://example.org
path: cert.pem
The public cert can be fetched from different locations.
Independent from the way of fetching the cert the maxAge
is provided.
maxAge
is used to check the age of the cert based on the Valid after
date.
In case the cert is older or the --fetch-cert
flag is provided, a new cert is fetched.
Otherwise the cert from the meta field within the values.yaml
file is used for the encryption.
sealingRules:
- ...
cert:
...
sources:
...
path: "cert.pem"
sealingRules:
- ...
cert:
...
sources:
...
url: https://localhost:8080/cert.pem
sealingRules:
- ...
cert:
...
sources:
...
kubernetes:
context: KubeContextName
name: sealed-secrets
namespace: kube-system
Create a pre-commit
hook in git which runs sealit verify
.
sealit
is an alternative cli to kubeseal
which is part of Bitnami's Sealed Secrets.
Therefore sealit requires the Sealed Secret controller already installed on the cluster, this can be done via the helm chart.
The crypto part as well as the sealing principles are from Sealed Secrets.
For development git
, >= go1.14
, make
, access to a K8s cluster and Helm
is required.
Clone the repository via git clone https://github.com/dschniepp/sealit.git
to continue with one of the following steps.
make run
make test
Locally the application can be build via make build
and will populate the binary to the dist
folder.
Releases on GitHub are build and published via goreleaser and a GitHub Actions.
Thank you for considering contributing to the sealit! Before contributing, please be sure to read the Contribution Guide.
In order to ensure that the community is welcoming to all, please review and abide by the Code of Conduct.
If you discover a vulnerabilities within sealit, please send an e-mail to Daniel Schniepp via [email protected]
Thanks to the awesome work of the people behind SOPS and Sealed Secrets. sealit is heavily influenced by there ideas.
sealit is open-sourced software licensed under the MIT license.