This is single application that uses Bitnami sealed secrets for password and certificates.

go run .

then visit http://localhost:8080 in your browser

Run

• docker build . -t my-app to create a container image
• docker run -p 8080:8080 my-app to run it

then visit http://localhost:8080 in your browser

You can find prebuilt images at https://hub.docker.com/r/kostiscodefresh/gitops-secrets-sample-app/tags

WARNING just for demonstration purposes this repository contains both raw and encrypted secrets so that you can see the sealing process yourself. In a real application, your Git repository should only have sealed secrets

Secret folders

• never-commit-to-git/decrypted contains the raw secrets (You should never commit this to Git)
• never-commit-to-git/unsealed_secrets contains plain Kubernetes secrets (You should never commit this to Git)
• safe-to-commit/sealed_secrets contains sealed secrets (This is the only folder you should commit to Git)

Install the secret controller

helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm repo update
helm install sealed-secrets-controller sealed-secrets/sealed-secrets

By default the controller will be installed at the kube-system namespace. The namespace and release name are important, since if you change the defaults, you need to set them up with kubeseal as well as you work with secrets

Download the kubeseal CLI.

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.16.0/kubeseal-linux-amd64 -O kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

kubectl create ns git-secrets
cd safe-to-commit/sealed_secrets
kubeseal -n git-secrets < ../../never-commit-to-git/unsealed_secrets/db-creds.yml > db-creds.json
kubeseal -n git-secrets < ../../never-commit-to-git/unsealed_secrets/key-private.yml > key-private.json
kubeseal -n git-secrets  < ../../never-commit-to-git/unsealed_secrets/key-public.yml > key-public.json
kubeseal -n git-secrets < ../../never-commit-to-git/unsealed_secrets/paypal-cert.yml > paypal-cert.json
kubectl apply -f . -n git-secrets

You now have encrypted your plain secrets. These files are safe to commit to Git. You can see that they have been converted automatically to plain secrets with the command

kubectl get secrets -n git-secrets

Note that the application requires all secrets to be present

cd safe-to-commit/manifests
kubectl apply -f . -n git-secrets

Wait some time and then find the public IP of the loadbalancer of the application:

kubectl get svc -n git-secrets

If you now visit your application you will see it using the secrets:

See the documentation page for more details.