diff --git a/.github/workflows/kustomize-sealed-secrets.yaml b/.github/workflows/kustomize-sealed-secrets.yaml new file mode 100644 index 00000000..1f5e4157 --- /dev/null +++ b/.github/workflows/kustomize-sealed-secrets.yaml @@ -0,0 +1,37 @@ +name: Kustomize GitHub Actions for sealed-secrets + +on: + pull_request: + paths: + - kustomize/sealed-secrets/** + - .github/workflows/kustomize-sealed-secrets.yaml +jobs: + kustomize: + strategy: + matrix: + overlays: + - base + name: Kustomize + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - uses: azure/setup-helm@v3 + with: + version: latest + token: "${{ secrets.GITHUB_TOKEN }}" + id: helm + - name: Kustomize Install + working-directory: /usr/local/bin/ + run: | + if [ ! -f /usr/local/bin/kustomize ]; then + curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | sudo bash + fi + - name: Run Kustomize Build + run: | + kustomize build kustomize/sealed-secrets/${{ matrix.overlays }} --enable-helm --helm-command ${{ steps.helm.outputs.helm-path }} > /tmp/rendered.yaml + - name: Return Kustomize Build + uses: actions/upload-artifact@v2 + with: + name: kustomize-sealed-secrets-artifact-${{ matrix.overlays }} + path: /tmp/rendered.yaml diff --git a/docs/sealed-secrets.md b/docs/sealed-secrets.md new file mode 100644 index 00000000..e46d4dae --- /dev/null +++ b/docs/sealed-secrets.md @@ -0,0 +1,76 @@ +# Sealed Secrets Introduction and Installation Guide + + +Sealed Secrets is a Kubernetes-native solution for securely storing and managing sensitive information within Kubernetes Secrets. It ensures secure secret management by encrypting Kubernetes Secrets and storing them as SealedSecret resources, which can only be decrypted by the cluster itself. + +Sealed Secrets utilizes public-key cryptography to encrypt secrets, enabling safe storage in your version control system. + + +## Installation + +``` shell +cd kustomize/sealed-secrets/base +``` + +- Modify the `values.yaml` file with your desired configurations. Refer to the sample configuration in this directory, already updated for installation. + +``` shell +vi values.yaml +``` + +- Perform the installation: + +``` shell +kubectl kustomize . --enable-helm | kubectl apply -f - +``` + +!!! note + Ensure to take a backup of the `sealed-secrets-keyxxxx` Kubernetes Secret from the sealed-secrets namespace, as it will be required for the restoration process if needed. + +``` +kubectl get secret -n sealed-secrets -l sealedsecrets.bitnami.com/sealed-secrets-key=active -o yaml > sealed-secrets-key.yaml +``` + +## Usage Example: +In this example, we will use Sealed Secrets to encrypt a Grafana certificate from Kubernetes Secret yaml file. + +### Encrypting Kubernetes Secret: +- Kubernetes Secret yaml file containing Grafana certificate: +``` +# cat grafana-cert.yaml +apiVersion: v1 +data: + ca.crt: + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjVENDQVJhZ0F3SUJBZ0lRYjBYbHp2d3JIWTd0MjNBREJ5Y2NnekFLQmdncWhrak9QUVFEQWpBWU1SWXcKRkFZRFZRUURFdzF5WVdOcmMzQmhZMlV1WTI5dE1CNFhEVEkwTURJeU5ERXdOVFExT0ZvWERUTTBNREl5TVRFdwpOVFExT0Zvd0dERVdNQlFHQTFVRUF4TU5jbUZqYTNOd1lXTmxMbU52YlRCWk1CTUdCeXFHU000OUFnRUdDQ3FHClNNNDlBd0VIQTBJQUJPd0owMU1ZTWw4MUNyV1dMODlQQkhvVG5telZCT2xRMkdMMDFTd2JjYXZQVmRCWnVHamIKeFlwR3VKVDd1UG5xdVp4eFZ4djhUSFlPcVVVL1ZYT2ZtdkNqUWpCQU1BNEdBMVVkRHdFQi93UUVBd0lDcERBUApCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCUU5weXZnNk1CSWFnZENuOVR1ejZ3SkZDMVIvekFLCkJnZ3Foa2pPUFFRREFnTkpBREJHQWlFQTY5T25ScUZ5SHZQbjJkWFZ6YjBTVFRZY2UxUUZGUEphWXFVYnQrc2kKdG13Q0lRRDE2ODV0UDBKcnZRRnB6NVlPNFdYQ2xEQWxabTgxUWRwN1lWY0FJS1RhbWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.crt: + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNUVENDQWZLZ0F3SUJBZ0lSQUxieTRuVUJoTWlvYkVTS01yVmwrbEl3Q2dZSUtvWkl6ajBFQXdJd0dERVcKTUJRR0ExVUVBeE1OY21GamEzTndZV05sTG1OdmJUQWVGdzB5TkRBek1UVXhNakk0TUROYUZ3MHlPVEF6TVRReApNakk0TUROYU1BQXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEUStvcVhlUVZWCmRSWkFWclM2ekZwMDlONXpDWUJRcS9HRjNNS1NyWnNkK3VNVlFXakIwcXlJcWJRdm9kL0N0NFhMdWx3a3UyWkIKQlg1MFN4NHJMVGhKQ3ExY2VIQ3lnRUZRa1gyekl6dlBkaCtTcFhWUnhMdzhHZW1ramZ5R3VXeVdydkVEa1cxKwpaM0dYOFc0ZzRZVkwyUEhSLzBIOWxSaVVhK2lYMmM0ZkJhVWoyTUQ3bkF6eWRKaEpneU5rQVZqUHFkRGpGay90CmdIS3pDTGhRTjd0d083ZzluU1UwdTJ1aWI4Z0FZeng0aHl1SWtwR3dCL3JNQkFWb0pxV3Y5eFFkVWd2S2w4a0EKbDFydngwaFlveWZETUprWVQ3SkFYZExEWTJRTUNyY0Y3d0poQUMzYThhYXJqRlUwWXFiQ0Z4TCtvRGw3OGxDbwp2akt2NG0wUmliU1ZBZ01CQUFHamFqQm9NQTRHQTFVZER3RUIvd1FFQXdJRm9EQU1CZ05WSFJNQkFmOEVBakFBCk1COEdBMVVkSXdRWU1CYUFGQTJuSytEb3dFaHFCMEtmMU83UHJBa1VMVkgvTUNjR0ExVWRFUUVCL3dRZE1CdUMKR1dkeVlXWmhibUV0YkdGaUxtUmxiVzh1YldzNGN5NXVaWFF3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQU9lRwp4d1l0S1ZUTjVMcmpwbGR6YlVOLzQ3NnFqM0t4NXdZcGlCL0VaalY5QWlFQXRHU3ZJZlJ2R0JGY1lqaWRyNFl1Ckw1S0Rwd21rZkt0eFhuNi9xamF0eG1jPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBMFBxS2wza0ZWWFVXUUZhMHVzeGFkUFRlY3dtQVVLdnhoZHpDa3EyYkhmcmpGVUZvCndkS3NpS20wTDZIZndyZUZ5N3BjSkx0bVFRVitkRXNlS3kwNFNRcXRYSGh3c29CQlVKRjlzeU03ejNZZmtxVjEKVWNTOFBCbnBwSTM4aHJsc2xxN3hBNUZ0Zm1keGwvRnVJT0dGUzlqeDBmOUIvWlVZbEd2b2w5bk9Id1dsSTlqQQorNXdNOG5TWVNZTWpaQUZZejZuUTR4WlA3WUJ5c3dpNFVEZTdjRHU0UFowbE5MdHJvbS9JQUdNOGVJY3JpSktSCnNBZjZ6QVFGYUNhbHIvY1VIVklMeXBmSkFKZGE3OGRJV0tNbnd6Q1pHRSt5UUYzU3cyTmtEQXEzQmU4Q1lRQXQKMnZHbXE0eFZOR0ttd2hjUy9xQTVlL0pRcUw0eXIrSnRFWW0wbFFJREFRQUJBb0lCQVFDR2x0VnJlS1hXdy9Idwp2ZWJuNTNUYW5sb2wvSmlIWERYUTRMenZlcC9NVHlpeEo4OHdCVjdaSlhMR3VwcEI3YkJkNVVneTMvNmJJYzZ2ClZ6RzIzUWpEQWYxazhLeWtTYlhIRGV6RzBvcFNzdURpc1cwOW5GY2UzaEY3eVhZNXpuSUJHZXBmUWVvaTNyeHAKL3pQT09YQi95TmoxUmxCWjRReFRpcXZpSUlSL3RSZmNQcFp2RWFRRHo5RDBwcm5VTG5raXdqZ1FsUVhnWXdITwpFYjRBZTlwaWwzZ3plNnVoeGxOWEc3bE1nYjFoOHZFa0RNOURJK0tqd25tYjF3eEZCSkZEQ2E4dm15ZDZZTThRCnU1bU5JbVc3bmh1bTA3akRid0tXSDgySE5kTWEwT2g4T0RCWENSSkVhMTZ2YXd0NVNCWjJLcVdlbmpaTlUycmwKTzJ2UmRZUUJBb0dCQVAxUzhEeTVWRkVQUHB4RCtLZHJzWGlVcER6Rzl2VGZmS3ZLQ2NBNExpVEJNYTdEdlRNTwpMeFRJaldMekhmZUFPbXBzVngrK3U4S1kzd2txbTBDcWpabzZ3eVpXcWZhZkJ6bUluK3p3Zm9tQmlIazJwZ2tCCjlTdU95VW9Bb0djYSt6TUtyZXpJRjVrc2FaUmlJbERsL2dheWFlVUZyWGhLZUJTbDF0Q3lOVTlOQW9HQkFOTXYKcmkxcllLZkVPeGxOTlpTbVczQzRiZ2RJZlNoRXNYaVcrUkxFYkdqamgwRWN5Vy92SCtrMU5TdU5aZERpUk9BRwpVQmhmT29YSnVYbzJkTlRXdXFuSE9QL2pxUG1tYWRhU3dpejNtUFNqRUppU3hUbFBQMGEyb0Jpa3VTVlAybDFVCkxxa0MrZ1ZEWHhoaXlXUXlKMUNnY0dNb0IyTVI4R0RaZkVXSm9lWnBBb0dCQU9EdjBWUUtPRjFWelFHU3RXdHMKREFVRzc2THNCUU5Bb3dJamYyOElNNmo5UnpGb3EwcDNjTVRpby9EVjhha0FXbDUvWHdsWUluN1RvVkFSWGhRWQpuVzN5ZWJCRVNkMHNMbzBlek9ybVRXV3ArRld4ZWRNTHd2aHZiRHJpdll0d0FOZTh4dDAyZXdYTzB0MG9HbEo5Ck5vZ1p5ai9MUDlKTlJiMEgyT3d0SVhzTkFvR0FNaXRrbEhPcTNaQVhmaFpDZ1ZMWDdEcFVJVFRPVHMrcTNYdjQKSmNZMS91RDJrN2hUL2x4dlYwYUZvQmdTTlFKYjNHQ0RqSmFxMzNlaHNXL1laMnV2b24rcWdkZkNuN1F4OW9DYwowblByaVVwbnVlYzhKVFkzVVFRM21rTWZuTWFRbUpWVUZHQ1pwc0J2aWVxRjcyQ2V5RitrODFsaUQ5NEdIZXZzCnd0UkVldWtDZ1lFQSt1ZExMZllCRitFaDZIVldvT3NXU2lqZCtrTnh4ajhaK2VSMWhOaWxtN1I5RlNkVzJHVEoKY2lvMlIrSDhWU0xudnFjZ29oWXNxZ0N0VXViTnpNbjdlbEt4RkNOOHRaS1lUYnhHcU5IUHJ4WE43M3RQNy83WAp2MWF4UXQvbm5lcDEvaVYzODVBcUZLdGZ6UU9Ua25sdGJBcmxyZzRvRFk4d0NtUmcwTi9aLzJFPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + annotations: + cert-manager.io/alt-names: grafana-lab.demo.mk8s.net + name: grafana + namespace: rackspace-system +type: kubernetes.io/tls +``` +- Download [kubeseal](https://github.com/bitnami-labs/sealed-secrets/releases) binary. +- Use `kubeseal` for the Kuberntes Secret entryption: +``` shell +kubeseal --scope cluster-wide --allow-empty-data -o yaml --controller-namespace rackspace-system < ~/grafana-cert.yaml > encrypted_grafana-cert.yaml +cat encrypted_grafana-cert.yaml +``` +For more options around `kubeseal` please check help page. + +- Upload the encrypted Sealed Secret resource(`encrypted_grafana-cert.yaml`) to your version control system. It can only be decrypted using the secret created during the Sealed Secrets installation. + +### Deploying Kubernetes Secret from Sealed Secret Resource: +- Apply sealed-secret resource(`encrypted_grafana-cert.yaml`): +```shell +kubectl apply -f encrypted_grafana-cert.yaml +``` +- Verify that the Sealed Secret has been created and the Kubernetes Secret has been decrypted: +```shell +kubectl get sealedsecret/grafana -n rackspace-system +kubectl get secret grafana -n rackspace-system +``` diff --git a/kustomize/sealed-secrets/base/kustomization.yaml b/kustomize/sealed-secrets/base/kustomization.yaml new file mode 100644 index 00000000..d8033add --- /dev/null +++ b/kustomize/sealed-secrets/base/kustomization.yaml @@ -0,0 +1,12 @@ +resources: + - './namespace.yaml' +namespace: sealed-secrets +helmGlobals: + chartHome: ../charts/ +helmCharts: +- name: sealed-secrets + includeCRDs: true + releaseName: sealed-secrets + valuesFile: values.yaml + version: 2.14.2 + repo: https://bitnami-labs.github.io/sealed-secrets diff --git a/kustomize/sealed-secrets/base/namespace.yaml b/kustomize/sealed-secrets/base/namespace.yaml new file mode 100644 index 00000000..100ff1eb --- /dev/null +++ b/kustomize/sealed-secrets/base/namespace.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + kubernetes.io/metadata.name: sealed-secrets + name: sealed-secrets + name: sealed-secrets diff --git a/kustomize/sealed-secrets/base/values.yaml b/kustomize/sealed-secrets/base/values.yaml new file mode 100644 index 00000000..a4172609 --- /dev/null +++ b/kustomize/sealed-secrets/base/values.yaml @@ -0,0 +1,486 @@ +## @section Common parameters + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override sealed-secrets.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override sealed-secrets.fullname +## +fullnameOverride: "sealed-secrets-controller" +## @param namespace Namespace where to deploy the Sealed Secrets controller +## +namespace: "" + +## @param extraDeploy [array] Array of extra objects to deploy with the release +## +extraDeploy: [] +## @param commonAnnotations [object] Annotations to add to all deployed resources +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +commonAnnotations: {} + +## @param commonLabels [object] Labels to add to all deployed resources +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +commonLabels: {} + +## @section Sealed Secrets Parameters + +## Sealed Secrets image +## ref: https://hub.docker.com/r/bitnami/sealed-secrets-controller/tags +## @param image.registry Sealed Secrets image registry +## @param image.repository Sealed Secrets image repository +## @param image.tag Sealed Secrets image tag (immutable tags are recommended) +## @param image.pullPolicy Sealed Secrets image pull policy +## @param image.pullSecrets [array] Sealed Secrets image pull secrets +## +image: + registry: docker.io + repository: bitnami/sealed-secrets-controller + tag: 0.25.0 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] +## @param revisionHistoryLimit Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) +## e.g: +revisionHistoryLimit: "" +## @param createController Specifies whether the Sealed Secrets controller should be created +## +createController: true +## @param secretName The name of an existing TLS secret containing the key used to encrypt secrets +## +secretName: "sealed-secrets-key" +## @param updateStatus Specifies whether the Sealed Secrets controller should update the status subresource +## +updateStatus: true +## @param skipRecreate Specifies whether the Sealed Secrets controller should skip recreating removed secrets +## Setting it to true allows to optionally restore backward compatibility in low priviledge +## environments when old versions of the controller did not require watch permissions on secrets +## for secret re-creation. +## +skipRecreate: false +## @param keyrenewperiod Specifies key renewal period. Default 30 days +## e.g +## keyrenewperiod: "720h30m" +## +keyrenewperiod: "0" +## @param rateLimit Number of allowed sustained request per second for verify endpoint +## +rateLimit: "" +## @param rateLimitBurst Number of requests allowed to exceed the rate limit per second for verify endpoint +## +rateLimitBurst: "" +## @param additionalNamespaces List of namespaces used to manage the Sealed Secrets +## +additionalNamespaces: [] +## @param privateKeyAnnotations Map of annotations to be set on the sealing keypairs +## +privateKeyAnnotations: {} +## @param privateKeyLabels Map of labels to be set on the sealing keypairs +## +privateKeyLabels: {} +## @param logInfoStdout Specifies whether the Sealed Secrets controller will log info to stdout +## +logInfoStdout: false +## @param command Override default container command +## +command: [] +## @param args Override default container args +## +args: [] +## Configure extra options for Sealed Secret containers' liveness, readiness and startup probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes +## @param livenessProbe.enabled Enable livenessProbe on Sealed Secret containers +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 +## @param readinessProbe.enabled Enable readinessProbe on Sealed Secret containers +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 +## @param startupProbe.enabled Enable startupProbe on Sealed Secret containers +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 +## @param customLivenessProbe Custom livenessProbe that overrides the default one +## +customLivenessProbe: {} +## @param customReadinessProbe Custom readinessProbe that overrides the default one +## +customReadinessProbe: {} +## @param customStartupProbe Custom startupProbe that overrides the default one +## +customStartupProbe: {} +## Sealed Secret resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## @param resources.limits [object] The resources limits for the Sealed Secret containers +## @param resources.requests [object] The requested resources for the Sealed Secret containers +## +resources: + limits: {} + requests: {} +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled Sealed Secret pods' Security Context +## @param podSecurityContext.fsGroup Set Sealed Secret pod's Security Context fsGroup +## +podSecurityContext: + enabled: true + fsGroup: 65534 +## Configure Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param containerSecurityContext.enabled Enabled Sealed Secret containers' Security Context +## @param containerSecurityContext.readOnlyRootFilesystem Whether the Sealed Secret container has a read-only root filesystem +## @param containerSecurityContext.runAsNonRoot Indicates that the Sealed Secret container must run as a non-root user +## @param containerSecurityContext.runAsUser Set Sealed Secret containers' Security Context runAsUser +## @extra containerSecurityContext.capabilities Adds and removes POSIX capabilities from running containers (see `values.yaml`) +## @skip containerSecurityContext.capabilities.drop +## +containerSecurityContext: + enabled: true + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + +## @param podLabels [object] Extra labels for Sealed Secret pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations [object] Annotations for Sealed Secret pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param priorityClassName Sealed Secret pods' priorityClassName +## +priorityClassName: "" +## @param runtimeClassName Sealed Secret pods' runtimeClassName +## +runtimeClassName: "" +## @param affinity [object] Affinity for Sealed Secret pods assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} +## @param nodeSelector [object] Node labels for Sealed Secret pods assignment +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## @param tolerations [array] Tolerations for Sealed Secret pods assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param additionalVolumes [object] Extra Volumes for the Sealed Secrets Controller Deployment +## ref: https://kubernetes.io/docs/concepts/storage/volumes/ +## +additionalVolumes: [] +## @param additionalVolumeMounts [object] Extra volumeMounts for the Sealed Secrets Controller container +## ref: https://kubernetes.io/docs/concepts/storage/volumes/ +## +additionalVolumeMounts: [] +## @param hostNetwork Sealed Secrets pods' hostNetwork +hostNetwork: false +## @param dnsPolicy Sealed Secrets pods' dnsPolicy +dnsPolicy: "" + +## @section Traffic Exposure Parameters + +## Sealed Secret service parameters +## +service: + ## @param service.type Sealed Secret service type + ## + type: ClusterIP + ## @param service.port Sealed Secret service HTTP port + ## + port: 8080 + ## @param service.nodePort Node port for HTTP + ## Specify the nodePort value for the LoadBalancer and NodePort service types + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePort: "" + ## @param service.annotations [object] Additional custom annotations for Sealed Secret service + ## + annotations: {} +## Sealed Secret ingress parameters +## ref: http://kubernetes.io/docs/user-guide/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress record generation for Sealed Secret + ## + enabled: false + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster. + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.hostname Default host for the ingress record + ## + hostname: sealed-secrets.local + ## @param ingress.path Default path for the ingress record + ## + path: /v1/cert.pem + ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Relay on cert-manager to create it by setting the corresponding annotations + ## - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: false + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts [array] An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: sealed-secrets.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths [array] An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls [array] TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - sealed-secrets.local + ## secretName: sealed-secrets.local-tls + ## + extraTls: [] + ## @param ingress.secrets [array] Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: sealed-secrets.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] +## Network policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: false + ## NetworkPolicy Egress configuration + ## + egress: + ## @param networkPolicy.egress.enabled Specifies wheter a egress is set in the NetworkPolicy + ## + enabled: false + ## @param networkPolicy.egress.kubeapiCidr Specifies the kubeapiCidr, which is the only egress allowed. If not set, kubeapiCidr will be found using Helm lookup + ## + kubeapiCidr: "" + ## @param networkPolicy.egress.kubeapiPort Specifies the kubeapiPort, which is the only egress allowed. If not set, kubeapiPort will be found using Helm lookup + ## + kubeapiPort: "" + +## @section Other Parameters + +## ServiceAccount configuration +## +serviceAccount: + ## @param serviceAccount.annotations [object] Annotations for Sealed Secret service account + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + annotations: {} + ## @param serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param serviceAccount.labels Extra labels to be added to the ServiceAccount + ## + labels: {} + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the sealed-secrets.fullname template + ## + name: "" +## RBAC configuration +## +rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + ## + create: true + ## @param rbac.clusterRole Specifies whether the Cluster Role resource should be created + ## + clusterRole: true + ## @param rbac.clusterRoleName Specifies the name for the Cluster Role resource + ## + clusterRoleName: "secrets-unsealer" + ## @param rbac.namespacedRoles Specifies whether the namespaced Roles should be created (in each of the specified additionalNamespaces) + ## + namespacedRoles: false + ## @param rbac.namespacedRolesName Specifies the name for the namesapced Role resource + ## + namespacedRolesName: "secrets-unsealer" + ## @param rbac.labels Extra labels to be added to RBAC resources + ## + labels: {} + ## @param rbac.pspEnabled PodSecurityPolicy + ## + pspEnabled: false + +## @section Metrics parameters + +metrics: + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Specify if a ServiceMonitor will be deployed for Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace where Prometheus Operator is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor + ## + labels: {} + ## @param metrics.serviceMonitor.annotations Extra annotations for the ServiceMonitor + ## + annotations: {} + ## @param metrics.serviceMonitor.interval How frequently to scrape metrics + ## e.g: + ## interval: 10s + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 10s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.honorLabels Specify if ServiceMonitor endPoints will honor labels + ## + honorLabels: true + ## @param metrics.serviceMonitor.metricRelabelings [array] Specify additional relabeling of metrics + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.relabelings [array] Specify general relabeling + ## + relabelings: [] + ## Grafana dashboards configuration + ## + dashboards: + ## @param metrics.dashboards.create Specifies whether a ConfigMap with a Grafana dashboard configuration should be created + ## ref https://github.com/helm/charts/tree/master/stable/grafana#configuration + ## + create: false + ## @param metrics.dashboards.labels Extra labels to be added to the Grafana dashboard ConfigMap + ## + labels: {} + ## @param metrics.dashboards.annotations Annotations to be added to the Grafana dashboard ConfigMap + ## + annotations: {} + ## @param metrics.dashboards.namespace Namespace where Grafana dashboard ConfigMap is deployed + ## + namespace: "" + + ## Sealed Secret Metrics service parameters + ## + service: + ## @param metrics.service.type Sealed Secret Metrics service type + ## + type: ClusterIP + ## @param metrics.service.port Sealed Secret service Metrics HTTP port + ## + port: 8081 + ## @param metrics.service.nodePort Node port for HTTP + ## Specify the nodePort value for the LoadBalancer and NodePort service types + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePort: "" + ## @param metrics.service.annotations [object] Additional custom annotations for Sealed Secret Metrics service + ## + annotations: {} + +## @section PodDisruptionBudget Parameters + +pdb: + ## @param pdb.create Specifies whether a PodDisruptionBudget should be created + ## + create: false + ## @param pdb.minAvailable The minimum number of pods (non number to omit) + ## + minAvailable: 1 + ## @param pdb.maxUnavailable The maximum number of unavailable pods (non number to omit) + ## + maxUnavailable: "" diff --git a/mkdocs.yml b/mkdocs.yml index 0c30a84a..f1f08dfd 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -152,6 +152,7 @@ nav: - Secrets: - vault.md - Vault Operator: vault-secrets-operator.md + - Sealed Secrets: sealed-secrets.md - Infrastructure: - infrastructure-overview.md - Namespace: infrastructure-namespace.md