Пол дня пролюбил пытаясь понять как работает sealead-secrets. Отключился от VPN и нашел это видео, кратко и по существу, да еще и с примером. СПАСИБО!)) Ты лучший!
Well done. Exactly what I needed to fully understand how this works. What about backing up the private key for disaster recovery? Is the private key just stored in `etcd`?
Thanks! You definitely want to back your key in prod environments. Private key stored as a Kubernetes secret by default in etcd, there are few techniques that you can use to implore security kubernetes.io/docs/concepts/configuration/secret/
Can we directly encrypt kubernetes secret like using any encryption algorithm we encrypt the secret value and after that decrypt that value in pod and use it. So that anyone cannot access secret without private key. Does kubernetes or any other tool or methods will help to achieve this??
maybe, you mean download encrypted secret and decrypt only inside the pod? try hashicorp vault but i think they using the same approach. Usually it's better just to use rbac to restrict who can access that k8s secret
Sometimes it can be empty if kubeseal cannot retrieve certificate. One of the most common issues is that you need to open 8080 port between master and the nodes. (this applied to both EKS and GKE) It uses kubectl proxy to get a cert
Thanks For the video Can you help me with my question? Suppose that I have created the RDS database in AWS and I have generated the Credentials of the RDS database from the console itself Now in java.properties file I need to pass that RDS credentials in order to connect the application with the database Inside the Kubernetes, I have sealed the secrets according to your video Now in java.properties file what is the syntax to pass the credential of the RDS database? Is it the same as the flask app you defined? For example spring.datasource.password= os.environ['password'] I'm correct or not can you please help me?
There are few options: 1. When a sealed controller decrypts your secret, you get a "plain" Kubernetes secret :) Use that to create an environment variable in your Kubernetes "Deployment" object and then pass it to your java. properties by using the following syntaxis "${DB_PASSWORD}". I assume that your "java. properties" is mounted to the pod as configmap. 2. You can place all your secrets in java.properties file and create a sealed secret from it (whole file, not only db user/password). Then you can create a volume from decrypted secret and mount it to your application. In the end, you get just a Kubernetes secret, so whatever you can do with that, you can do with a sealed secret. I have a video on how to use k8s secrets it may be helpful.
@@AntonPutra Ok Actually, let me tell you my requirement I have java based application that is hosted on GIT Now with Jenkins I'm creating the jar artifactory of that java code Now I'm using that jar artifactory inside the Dockerfile to create the docker image And I', fetching that Docker image inside the EKS CLuster Now what I understood is that I need to pass the java.properties file as a config file inside the Kubernetes cluster And use the kubeseal for the database password Just question is that when we create the jar file then we don't need to pass the java.properties file at that Jenkins stage? And when we use that java.properties inside the config map then that is mapped to the container image automatically?
@@kkkant1547 Just question is that when we create the jar file then we don't need to pass the java.properties file at that Jenkins stage? -> To run the application in K8s, no, but you may still want to run unit tests with that jar, so in that case, building a jar with java.properties may be useful. And when we use that java.properties inside the configmap, then that is mapped to the container image automatically? -> No 1. you need to create a "configmap" object with the content of your java.properties 2. Create a K8s volume based on that config 3. Mount that config to the location inside the containner where the application expects that file, usually "/etc/app/java.properties"
@@AntonPutra very thanks to you now I'm pretty clear than my previous knowledge ); Just the 1 more question How can I pass the Kubernetes seal secrete key for username and password into the application.java file? can you please tell me the syntax to do this And I also need to pass the RDS database endpoint inside the application.java properties file can you please tell the syntax how can I define this as well
@@AntonPutra Thanks a lot for the response Can you please share the syntax that I need to add to the application.properties config file for passing the key of secrete for the username and the password And also How can I be able to pass the RDS Database Endpoint URL inside the applicaion.properties file Can you please share the syntax How can I define these things inside the application.properties file
🔴 - To support my channel, I’d like to offer Mentorship/On-the-Job Support/Consulting - me@antonputra.com
Short and to the point, love this. Thanks for sharing
You're welcome!
Пол дня пролюбил пытаясь понять как работает sealead-secrets.
Отключился от VPN и нашел это видео, кратко и по существу, да еще и с примером.
СПАСИБО!)) Ты лучший!
Spasibo Dmitriy :)
Thank you comrade. Very concise and informative.
Very welcome
Well done, thank you Anton!
Thanks Luthfi!
Thanks a lot for such detailed tutorial!
Glad it was helpful!
Thank you comrade )))
Any time
Well done. Exactly what I needed to fully understand how this works. What about backing up the private key for disaster recovery? Is the private key just stored in `etcd`?
Thanks! You definitely want to back your key in prod environments. Private key stored as a Kubernetes secret by default in etcd, there are few techniques that you can use to implore security kubernetes.io/docs/concepts/configuration/secret/
Thanks for the video. Wanted to ask what application are you using for the diagrams.
I use draw.io.
👏 Resource already exists and is not managed by SealedSecret. What could be the reason, any suggestion .
FYI: if the controller is name differently, you’ll need to add the -controller-name flag
true
Can we directly encrypt kubernetes secret like using any encryption algorithm we encrypt the secret value and after that decrypt that value in pod and use it. So that anyone cannot access secret without private key. Does kubernetes or any other tool or methods will help to achieve this??
maybe, you mean download encrypted secret and decrypt only inside the pod? try hashicorp vault but i think they using the same approach. Usually it's better just to use rbac to restrict who can access that k8s secret
When i create the cert .pem it is generated but is empty why is that file empty even i try with my own namespace?
Sometimes it can be empty if kubeseal cannot retrieve certificate. One of the most common issues is that you need to open 8080 port between master and the nodes. (this applied to both EKS and GKE) It uses kubectl proxy to get a cert
@@AntonPutra one more thing can you upload the commads that you are using in the terminal i didnt found the comands in the github repo.
@@NightfurYMKD Yes, I'll be adding those commands in the readme file
👉 How to Manage Secrets in Terraform - th-cam.com/video/3N0tGKwvBdA/w-d-xo.html
👉 Terraform Tips & Tricks - th-cam.com/video/7S94oUTy2z4/w-d-xo.html
👉 ArgoCD Tutorial - th-cam.com/video/zGndgdGa1Tc/w-d-xo.html
Thanks For the video
Can you help me with my question?
Suppose that I have created the RDS database in AWS and I have generated the Credentials of the RDS database from the console itself
Now in java.properties file I need to pass that RDS credentials in order to connect the application with the database
Inside the Kubernetes, I have sealed the secrets according to your video
Now in java.properties file what is the syntax to pass the credential of the RDS database? Is it the same as the flask app you defined?
For example
spring.datasource.password= os.environ['password']
I'm correct or not
can you please help me?
There are few options:
1. When a sealed controller decrypts your secret, you get a "plain" Kubernetes secret :) Use that to create an environment variable in your Kubernetes "Deployment" object and then pass it to your java. properties by using the following syntaxis "${DB_PASSWORD}". I assume that your "java. properties" is mounted to the pod as configmap.
2. You can place all your secrets in java.properties file and create a sealed secret from it (whole file, not only db user/password). Then you can create a volume from decrypted secret and mount it to your application.
In the end, you get just a Kubernetes secret, so whatever you can do with that, you can do with a sealed secret. I have a video on how to use k8s secrets it may be helpful.
@@AntonPutra
Ok
Actually, let me tell you my requirement I have java based application that is hosted on GIT Now with Jenkins I'm creating the jar artifactory of that java code
Now I'm using that jar artifactory inside the Dockerfile to create the docker image
And I', fetching that Docker image inside the EKS CLuster
Now what I understood is that I need to pass the java.properties file as a config file inside the Kubernetes cluster
And use the kubeseal for the database password
Just question is that when we create the jar file then we don't need to pass the java.properties file at that Jenkins stage?
And when we use that java.properties inside the config map then that is mapped to the container image automatically?
@@kkkant1547 Just question is that when we create the jar file then we don't need to pass the java.properties file at that Jenkins stage?
-> To run the application in K8s, no, but you may still want to run unit tests with that jar, so in that case, building a jar with java.properties may be useful.
And when we use that java.properties inside the configmap, then that is mapped to the container image automatically?
-> No
1. you need to create a "configmap" object with the content of your java.properties
2. Create a K8s volume based on that config
3. Mount that config to the location inside the containner where the application expects that file, usually "/etc/app/java.properties"
@@AntonPutra very thanks to you now I'm pretty clear than my previous knowledge );
Just the 1 more question
How can I pass the Kubernetes seal secrete key for username and password into the application.java file? can you please tell me the syntax to do this
And I also need to pass the RDS database endpoint inside the application.java properties file can you please tell the syntax how can I define this as well
@@AntonPutra Thanks a lot for the response
Can you please share the syntax that I need to add to the application.properties config file for passing the key of secrete for the username and the password
And also How can I be able to pass the RDS Database Endpoint URL inside the applicaion.properties file Can you please share the syntax How can I define these things inside the application.properties file