Skip to content

Latest commit

 

History

History

sealed-secrets

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

Sealed Secrets Namespace

This Namespace provides a Kubernetes controller and tool for one-way encrypted Secrets

License

Releases

  • sealed-secrets
    Sealed Secrets are 'one-way' encrypted K8s Secrets that can be created by anyone, but can only be decrypted by the controller running in the target cluster recovering the original object.

Features

  • Actively maintained by GraphOps GraphOps and contributors
  • Common values interfaces across all namespaces
  • Flexible and adaptable, allowing defaults to be overridden
  • Two release channels: stable and canary
  • A large selection of Namespaces (listed below)

Quickstart

Note Launchpad Starter is a great way to make use of Namespaces and worth checking out as a starting point for every new Launchpad deployment.

To use Namespaces you will require both a Kubernetes cluster and Helmfile. As such:

  • Make sure your Kubernetes Cluster is in order and your environment has the kubeconfig context adequately setup
  • Install helmfile, upstream guidance available here: Helmfile Installation – Install kustomize, upstream guidance available here: Kustomize Installation. Although launchpad–namespaces doesn't explicitly use kustomize, it is a dependency for utilising helmfile features.

Next, setup an helmfile.yaml file that makes use of the Sealed Secrets Namespace by creating it with the following contents:

helmfiles:
  - path: git::https://github.com/graphops/launchpad-namespaces.git@sealed-secrets/helmfile.yaml?ref=sealed-secrets-latest
    selectorsInherited: true

Note On the path to the helmfile, you can use the query string's ref (?ref=sealed-secrets-latest) to track one of the release streams: stable and canary, pin to a specific version or just track a particular major or minor semantic version. For more on this, check the Updates section

This is a very minimalist helmfile but enough to get it done. Proceed by running helmfile:

helmfile sync -i

After some output, you should be greeted by a prompt like this:

Do you really want to sync? Helmfile will sync all your releases, as shown above.

[y/n]:

Answer 'y' and hopefully the installation will conclude successfully.

overriding namespace and releases' values

To customize the configuration and deployment, you can pass values to override the default helmfile configuration like so:

helmfiles:
  - path: git::https://github.com/graphops/launchpad-namespaces.git@sealed-secrets/helmfile.yaml?ref=sealed-secrets-latest
    selectorsInherited: true
    values:
      targetNamespace: "i-choose-my-own-namespace"
      labels:
        awesome.label.key/stuff: "yes"
        awesome.label.key/thing: "kind-of-thing"

where we add some labels to this Namespace releases, and set it to be deployed on cluster namespace different from default.

You can also easily override values for every release, like so:

helmfiles:
  - path: git::https://github.com/graphops/launchpad-namespaces.git@sealed-secrets/helmfile.yaml?ref=sealed-secrets-latest
    selectorsInherited: true
    values:
      targetNamespace: "i-choose-my-own-namespace"
      labels:
        awesome.label.key/stuff: "yes"
        awesome.label.key/thing: "kind-of-thing"
      <release-name>:
        - akey: value
          bkey: value

Check out the Namespaces list below for release names, and each chart's folder for its specific values interface.

To use multiple namespaces on the same cluster, just add more items to the helmfiles array like so:

helmfiles:
  - path: git::https://github.com/graphops/launchpad-namespaces.git@sealed-secrets/helmfile.yaml?ref=sealed-secrets-latest
    selectorsInherited: true
    values:
      <sealed-secrets values>
  - path: git::https://github.com/graphops/launchpad-namespaces.git@<other namespace>/helmfile.yaml?ref=<other namespace>-latest
    selectorsInherited: true
    values:
      <other values>

Values

Key Type Default Description
annotations object Add annotations to release resources on this namespace
kubeVersion string Specifies the kubernetes API version, useful in helm templating environment
labels object Adds helmfile labels to releases on this namespace
resourceLabels object Adds labels to release resources on this namespace
sealed‑secrets object
sealed‑secrets.annotations object Add annotations to resources on this release
sealed‑secrets.chartUrl string Override this release's chart URL (i.e: an absolute like /path/to/chart.tgz or /path/to/chart_dir. Or a remote like git::https://github.com/bitnami/charts.git@bitnami/apache?ref=main)
sealed‑secrets.chartVersion string Specify a specific chart version to use for this release
sealed‑secrets.labels object Adds helmfile labels to this release
sealed‑secrets.mergeValues boolean true Merges passed values with namespace's defaults if true, overrides if false
sealed‑secrets.resourceLabels object Adds labels to resources on this release
sealed‑secrets.values (object or list of objects) Pass values to the release helm chart
targetNamespace string sealed-secrets Sets the cluster namespace in which the releases will be deployed
helmDefaults object
helmDefaults.args list of strings
helmDefaults.cleanupOnFail boolean
helmDefaults.createNamespace boolean
helmDefaults.force boolean
helmDefaults.historyMax number 10 limit the maximum number of revisions saved per release. Use 0
for no limit.
helmDefaults.kubeContext string
helmDefaults.recreatePods boolean
helmDefaults.tillerNamespace string
helmDefaults.tillerless boolean
helmDefaults.timeout number
helmDefaults.tls boolean
helmDefaults.tlsCACert string
helmDefaults.tlsCert string
helmDefaults.tlsKey string
helmDefaults.verify boolean
helmDefaults.wait boolean
helmDefaults.waitForJobs boolean