search

bitnami-labs / sealed-secrets

A Kubernetes controller and tool for one-way encrypted Secrets
Apache License 2.0
7.74k stars 687 forks source link

Secrets are not being created for different namespaces #622

Open bpvcode opened 3 years ago

bpvcode commented 3 years ago

Explanation

I want to store my database credentials in sealed secret files. I'm trying to have sealed secrets for each namespace (dev, dev1). I'm using skaffold and kustomize to deploy to my remote k8s cluster.

1º Install the controller inside cluster for each namespace

I run the commands:

Path: overlays/dev

kubectl apply --filename controller-dev.yml

Path: overlays/dev1

kubectl apply --filename controller-dev1.yml

Is the same as you run this kubectl apply --filename https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.16.0/controller.yaml but with the respective namespaces(dev, dev1) for each file, instead of kube-system

At this point, sealed-secret-controller has been created for both namespaces in remote k8s

2º Fetch cert

Path: overlays/dev

kubeseal --controller-namespace dev --fetch-cert > cert.pem

Path: overlays/dev1

kubeseal --controller-namespace dev1 --fetch-cert > cert.pem

At this point, in each path i have a cert.pem file.

3º Generate sealed secret

Path: overlays/dev

kubeseal < secret-postgres.yml --cert cert.pem -o yaml > sealed-secret-postgres.yml

Path: overlays/dev1

kubeseal < secret-postgres.yml --cert cert.pem -o yaml > sealed-secret-postgres.yml

At this moment, i have two different SealedSecret files, one in each path. The difference is the namespace and the encrypted data, although is the same Key : value pairs.

4º Apply sealed secret for dev namespace

Path: overlays/dev

kubectl apply --filename sealed-secret-postgres.yml

Output:

sealedsecret.bitnami.com/postgres-secret created

If i run: 

kubectl get secret -n dev

Output:

NAME                                    TYPE                                  DATA   AGE
default-token-gq5vd                     kubernetes.io/service-account-token   3      154m
postgres-secret                         Opaque                                3      128m
sealed-secrets-controller-token-4stnm   kubernetes.io/service-account-token   3      147m
sealed-secrets-keyvpxbc                 kubernetes.io/tls                     2      147m

At this point the postgres-secret was created and if i output in yaml format i am able to see the data with key : value pairs in base 64 encoded.

5º Apply sealed secret for dev1 namespace

Path: overlays/dev1

kubectl apply --filename sealed-secret-postgres.yml

Output:

sealedsecret.bitnami.com/postgres-secret configured

If i run: 

kubectl get secret -n dev1

Output:

NAME                                    TYPE                                  DATA   AGE
default-token-6d2mb                     kubernetes.io/service-account-token   3      51d
sealed-secrets-controller-token-xrmr2   kubernetes.io/service-account-token   3      120m
sealed-secrets-key7k4w8                 kubernetes.io/tls                     2      120m

NOTE: The postgres-secret was not created in this namespace

Expected behavior

Should create a new postgres-secret for each namespace, but doesn't, only create for the first namespace. Both have the same name and data, the only thing that is different is the namespace

Additional Information

Kubeseal version: v0.16.1-0.20210512081140-62cfb264f53e Operating system: Pop!_OS 20.04

rouke-broersma commented 3 years ago

Have you checked the events on the dev1 sealed secret? Perhaps there are some useful errors?

dosmanak commented 2 years ago

Why do you need more instances of controller in single k8s cluster?

rouke-broersma commented 2 years ago

Let's say you have a multitenant environment. You don't want sealed secret for tenant1 to be able to decrypt secrets for tenant2. So sealed secrets needs to be able to be restricted to a (set of) namespace(s), and be able to be deployed multiple times in the same cluster.

dosmanak commented 2 years ago

https://github.com/bitnami-labs/sealed-secrets#scopes

unless you set cluster-wide scope, you can't decrypt secret from other namespace.

goodgravy commented 1 year ago

unless you set cluster-wide scope, you can't decrypt secret from other namespace.

Yes, but in this case they want to have two separate SealedSecrets and Secrets in the dev and dev1 namespaces – and in fact are creating those in step 3.

@rouke-broersma have you tried including the --namespace argument to kubeseal in step 3? You'll need to specifically generate the SealedSecret with the correct namespace in metadata.namespace and spec.template.metadata.namespace, unless you want to do the cluster-wide thing as suggested by @dosmanak .

rouke-broersma commented 1 year ago

I was only explaining why you might want multiple controllers in 1 clusters.

goodgravy commented 1 year ago

@rouke-broersma sorry I tagged the wrong person; @bpvcode I meant to suggest the --namespace argument to you.