Note: This tutorial assumes that you are familiar with encrypted inputs using
git-crypt. If you are not, please read this tutorial first.
Sealed Secrets Updater can be used in your CI pipeline to update the Sealed Secrets manifests when a change is made in the secrets inputs. This way, you don't need to worry anymore about Sealed Secrets manifests and exclusively focus on the secrets inputs.
- Git and a GitHub repository.
- git-crypt
- GPG tools
- K8s cluster.
- Sealed Secrets controller installed in the cluster.
This tutorial starts from the scenario we left after completing the previous tutorial.
In order to run Sealed Secrets Updater in your CI pipeline, we need to previously decrypt the secrets inputs. For that, we need to export a GPG key and add it to GitHub Encrypted Secrets.
- First, export your GPG key using the command below and copy it to your clipboard:
git-crypt export-key ./tmp-key && cat ./tmp-key | base64 | pbcopy && rm ./tmp-key- Then, follow the steps described in this guide to create a new encrypted secret in your repository called
GIT_CRYPT_KEYwith the value of the key you just imported in your clipboard.
Now, we are ready to add a GitHub workflow to update the Sealed Secrets manifests when a change is made in the secrets inputs. To do so, we just need create a new GitHub workflow file (e.g .github/workflows/update-sealed-secrets.yml) in the repository with the content below:
name: Update Sealed Secrets manifests
on:
pull_request:
branches:
- main
paths:
- 'secrets/**'
jobs:
update-sealed-secrets:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup git-crypt
run: sudo apt-get install -y git-crypt
- name: Unlock secrets inputs
run: |
echo ${{ secrets.GIT_CRYPT_KEY }} | base64 -d > ./git-crypt-key
git-crypt unlock ./git-crypt-key
rm ./git-crypt-key
- name: Authenticate with GCP
uses: google-github-actions/auth@v1
with:
credentials_json: '${{ secrets.gcp_credentials }}'
- name: Get GKE credentials
uses: google-github-actions/get-gke-credentials@v1
with:
cluster_name: my-cluster
location: us-central1-a
- name: Update the Sealed Secrets manifests
uses: juan131/sealed-secrets-updater-action@v0
with:
config_path: 'sealed-secrets-updater.json'
- name: Commit
uses: EndBug/[email protected]
with:
add: 'manifests'
message: 'chore: update Sealed Secrets manifests'Note: the above workflow assumes you're using GKE as your K8s cluster and authenticate to it as described in this guide. Please adapt it to your needs if you're using a different cloud provider or authentication method.
Now, every time a PR is created attempting to change the secrets inputs, a GitHub workflow will be launched to update the Sealed Secrets manifests and commit the changes.