Use Kustomize while keeping secrets in a git repository.

As we try to keep running our microservice-based application in a highly available and scalable manner by deploying with containers, we may encounter with many container orchestration tools like Kubernetes and Docker Swarm or any PaaS solutions based on Kubernetes such as EKS, AKS, GKE or OpenShift. However just choosing any tool only does not bring ease to our life. We have to lay foundation on CI/CD concept in our architecture to support deployment of new features or any incoming updates being developed for our application in a convenient and effective way.

Here comes the concept of GitOps over Kubernetes, one step ahead DevOps practice, when we start our declarative object configuration over YAML files committed into a git repository which can be seen as “source of truth”. Applying infrastructure over Kuberentes Cluster, using YAML’s within a git repository with zero manual change policy, also brings security and observability over the cluster structure.

There are many types of resources in Kubernetes such as ConfigMaps, Deployments and DeamonSets etc. A resource type called  Secret that we consider in this article, lets you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. It allows us to manage sensitive data by decoupling Pod definition from those secrets rather than just to put into Pod specification or image. However it is very insecure store those data in a git repository as a definition because the data in a Secret is kept as string encoded with Base64 and anyone can decode them and access the original data.

There comes a question in mind when we consider putting sensitive information as Secret into any git repository to perform GitOps practice. “How can we store our secrets in source-code repository in a secure way?”.  Sealed-Secrets, an open source tool created by Bitnami Labs, comes to rescue us by answering this question.

#git #kustomize #kubernetes #gitops