sealed-secrets
sealed-secrets copied to clipboard
bitnami-labs
Secrets are not being created for different namespaces
Explanation
I want to store my database credentials in sealed secret files.
I'm trying to have sealed secrets for each namespace (dev, dev1).
I'm using skaffold and kustomize to deploy to my remote k8s cluster.
1º Install the controller inside cluster for each namespace
I run the commands:
Path: overlays/dev
kubectl apply --filename controller-dev.yml
Path: overlays/dev1
kubectl apply --filename controller-dev1.yml
Is the same as you run this kubectl apply --filename https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.16.0/controller.yaml but with the respective namespaces(dev, dev1) for each file, instead of kube-system
At this point, sealed-secret-controller has been created for both namespaces in remote k8s
2º Fetch cert
Path: overlays/dev
kubeseal --controller-namespace dev --fetch-cert > cert.pem
Path: overlays/dev1
kubeseal --controller-namespace dev1 --fetch-cert > cert.pem
At this point, in each path i have a cert.pem file.
3º Generate sealed secret
Path: overlays/dev
kubeseal < secret-postgres.yml --cert cert.pem -o yaml > sealed-secret-postgres.yml
Path: overlays/dev1
kubeseal < secret-postgres.yml --cert cert.pem -o yaml > sealed-secret-postgres.yml
At this moment, i have two different SealedSecret files, one in each path. The difference is the namespace and the encrypted data, although is the same Key : value pairs.
4º Apply sealed secret for dev namespace
Path: overlays/dev
kubectl apply --filename sealed-secret-postgres.yml
Output:
sealedsecret.bitnami.com/postgres-secret created
If i run:
kubectl get secret -n dev
Output:
NAME TYPE DATA AGE
default-token-gq5vd kubernetes.io/service-account-token 3 154m
postgres-secret Opaque 3 128m
sealed-secrets-controller-token-4stnm kubernetes.io/service-account-token 3 147m
sealed-secrets-keyvpxbc kubernetes.io/tls 2 147m
At this point the postgres-secret was created and if i output in yaml format i am able to see the data with key : value pairs in base 64 encoded.
5º Apply sealed secret for dev1 namespace
Path: overlays/dev1
kubectl apply --filename sealed-secret-postgres.yml
Output:
sealedsecret.bitnami.com/postgres-secret configured
If i run:
kubectl get secret -n dev1
Output:
NAME TYPE DATA AGE
default-token-6d2mb kubernetes.io/service-account-token 3 51d
sealed-secrets-controller-token-xrmr2 kubernetes.io/service-account-token 3 120m
sealed-secrets-key7k4w8 kubernetes.io/tls 2 120m
NOTE: The postgres-secret was not created in this namespace
Expected behavior
Should create a new postgres-secret for each namespace, but doesn't, only create for the first namespace.
Both have the same name and data, the only thing that is different is the namespace
Additional Information
Kubeseal version: v0.16.1-0.20210512081140-62cfb264f53e Operating system: Pop!_OS 20.04
Have you checked the events on the dev1 sealed secret? Perhaps there are some useful errors?
Let's say you have a multitenant environment. You don't want sealed secret for tenant1 to be able to decrypt secrets for tenant2. So sealed secrets needs to be able to be restricted to a (set of) namespace(s), and be able to be deployed multiple times in the same cluster.
https://github.com/bitnami-labs/sealed-secrets#scopes
unless you set cluster-wide scope, you can't decrypt secret from other namespace.
unless you set cluster-wide scope, you can't decrypt secret from other namespace.
Yes, but in this case they want to have two separate SealedSecrets and Secrets in the dev and dev1 namespaces – and in fact are creating those in step 3.
@rouke-broersma have you tried including the --namespace argument to kubeseal in step 3? You'll need to specifically generate the SealedSecret with the correct namespace in metadata.namespace and spec.template.metadata.namespace, unless you want to do the cluster-wide thing as suggested by @dosmanak .
I was only explaining why you might want multiple controllers in 1 clusters.
@rouke-broersma sorry I tagged the wrong person; @bpvcode I meant to suggest the --namespace argument to you.