How ArgoCD and Sealed Secret works
Streamlining Secret Management in Kubernetes with ArgoCD and Sealed Secrets
In the ever-evolving landscape of Kubernetes and DevOps, orchestrating seamless deployments while maintaining top-notch security is the holy grail. In this comprehensive blog, we'll take you on an in-depth journey into two powerful tools that can elevate your Kubernetes game to the next level: ArgoCD and Sealed Secrets.
The Power of GitOps
Understanding GitOps: We'll start by dissecting the concept of GitOps, exploring its origins, and why it has become a game-changer in the Kubernetes ecosystem.
ArgoCD Unveiled: A deep dive into ArgoCD, including its architecture, components, and how it manages Kubernetes applications declaratively.
Git Repository as the Source of Truth: Learn why your Git repository becomes the ultimate source of truth for your Kubernetes configurations, bringing transparency, accountability, and robust version control to your deployments.
Setting Up ArgoCD
Installation and Configuration
To get started with ArgoCD, you'll first need to install it in your Kubernetes cluster. This can be achieved using a simple Kubernetes manifest or a Helm chart. We will walk you through both methods, providing guidance on choosing the one that best fits your requirements.
Example:
# ArgoCD Installation via Helm helm repo add argo https://argoproj.github.io/argo-helm helm install my-argocd argo/argo-cd
Once installed, you'll need to configure ArgoCD to connect to your Git repository where your Kubernetes manifests and ArgoCD Application configurations are stored. We'll show you how to set up these configurations, including connecting to private Git repositories securely.
Multi-Cluster Support
ArgoCD excels in managing applications across multiple Kubernetes clusters. We'll guide you through the process of configuring ArgoCD to support multi-cluster environments, allowing you to deploy and manage applications seamlessly, no matter how complex your infrastructure.
Role-Based Access Control (RBAC)
Securing your ArgoCD instance is paramount. We'll provide best practices for implementing Role-Based Access Control (RBAC) within ArgoCD. You'll learn how to create custom roles, define permissions, and manage user access effectively.
Example:
# Define a custom Role in ArgoCD apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: my-custom-role rules: - apiGroups: [""] resources: ["applications"] verbs: ["get", "list", "create", "update", "delete"]
Deploying Applications with ArgoCD
Now that you have ArgoCD set up, it's time to dive into deploying applications. In this chapter, we'll guide you through defining Application Custom Resource Definitions (CRDs) and deploying your first application.
Defining Application CRDs
Applications in ArgoCD are defined using Application Custom Resource Definitions (CRDs). These YAML manifests declare how ArgoCD should deploy and manage your application.
Example:
# Application CRD for a sample application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: sample-app
namespace: argocd
spec:
source:
repoURL: https://github.com/your-org/your-repo
targetRevision: HEAD
path: apps/sample
destination:
server: 'https://kubernetes.default.svc'
namespace: sample-namespace
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
Here, we're defining an application named sample-app
that resides in a Git repository. ArgoCD will automatically synchronize this application according to the defined sync policy.
Syncing Applications
ArgoCD continuously monitors your Git repositories for changes. When it detects updates, it syncs applications to match the desired state defined in your Git repository.
Example:
# Triggering a manual sync for an application
argocd app sync sample-app
ArgoCD also provides a web-based dashboard for easy application monitoring and manual syncing.
Application Rollbacks
Sometimes, things don't go as planned. ArgoCD supports application rollbacks, allowing you to easily revert to a previous version of your application when issues arise.
Example:
# Rollback an application to a previous version
argocd app rollback sample-app
Manifests and Application Resources
In this section, we'll explore how ArgoCD deals with Kubernetes manifests and different application resources. By the end, you'll have a solid understanding of how to manage and deploy complex applications using ArgoCD.
Managing Manifests
ArgoCD shines when it comes to managing Kubernetes manifests. You can keep your application manifests in a Git repository, and ArgoCD will automatically synchronize them with your Kubernetes clusters.
Example: Here's a simplified directory structure for your application's manifests:
my-app/
├── deployment.yaml
├── service.yaml
├── configmap.yaml
├── route.yaml
ArgoCD will track changes in this repository and ensure that the application state matches the definitions in these manifests.
Resource Dependency
Kubernetes applications often consist of multiple resources that depend on each other. For example, a Deployment may depend on a ConfigMap and a Service.
Example: In the deployment.yaml
, you might reference a ConfigMap:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app-deployment
spec:
template:
spec:
containers:
- name: my-app
image: my-app-image
envFrom:
- configMapRef:
name: my-app-config
ArgoCD understands these dependencies and ensures that resources are synchronized in the correct order.
Application Resources
Applications often involve various Kubernetes resources. ArgoCD makes managing these resources straightforward.
Example: Consider a YAML manifest for a Service:
apiVersion: v1
kind: Service
metadata:
name: my-app-service
spec:
selector:
app: my-app
ports:
- port: 80
targetPort: 8080
ArgoCD handles resources like Services, Deployments, ConfigMaps, and Routes seamlessly, deploying and managing them according to your Git repository's state.
Deployment and Synchronization
Whenever you push changes to your Git repository, ArgoCD automatically detects the updates and synchronizes your application to match the desired state.
Example: After you push an update to your manifests, ArgoCD will sync the application:
# Triggering a sync
argocd app sync my-app
Sealed Secrets with ArgoCD
In this section, we'll dive deeper into the world of Sealed Secrets and see how ArgoCD can securely simplify the management of secrets.
What are Sealed Secrets?
Sealed Secrets are an innovative way of managing Kubernetes secrets in a GitOps workflow. They work by encrypting your sensitive data and storing it as a SealedSecret custom resource in your Git repository.
How to Use Sealed Secrets with ArgoCD
Step 1: Install Sealed Secrets Controller
The first step is to install the Sealed Secrets controller in your Kubernetes cluster. This controller is responsible for decrypting SealedSecrets objects during runtime.
shellCopy code# Install Sealed Secrets Controller
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.16.0/controller.yaml
Step 2: Create a Sealed Secret
Now, let's create a Sealed Secret from a regular Kubernetes Secret. You'll need to use the kubeseal
command-line tool.
shellCopy code# Create a Sealed Secret from a regular Secret
kubectl create secret generic my-secret --dry-run=client --from-literal=my-key=my-value -o json | kubeseal > my-sealed-secret.yaml
This command generates a SealedSecret YAML file that you can store in your Git repository.
Step 3: Add Sealed Secret to Git Repository
Commit the my-sealed-secret.yaml
file to your Git repository, just like you would with other Kubernetes manifests.
Step 4: Deploy Sealed Secret with ArgoCD
ArgoCD can automatically deploy Sealed Secrets. Create an ArgoCD Application resource for your Sealed Secret, just as you would for any other resource.
yamlCopy codeapiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-app
spec:
project: default
source:
repoURL: <URL_TO_YOUR_GIT_REPO>
targetRevision: HEAD
path: path/to/secrets
destination:
server: https://kubernetes.default.svc
namespace: my-namespace
ArgoCD will handle the deployment of the Sealed Secret to your cluster securely.
Benefits of Using Sealed Secrets with ArgoCD
Security: Sensitive data is encrypted and stored in version control, reducing the risk of exposure.
GitOps: Sealed Secrets fit perfectly into the GitOps workflow. You define, version, and track your secrets in your Git repository.
Auditing: All changes to secrets are traceable through Git commits, providing a clear audit trail.
Easy Management: ArgoCD simplifies the deployment and synchronization of Sealed Secrets, making secret management a breeze.
Enhancing Security with Sealed Secrets
The Challenge of Secrets: Delve into the critical issue of securing sensitive data within Kubernetes and why traditional Secrets fall short.
Sealed Secrets Revealed: Learn about the architecture of Sealed Secrets and how it encrypts your secrets into a safe, Git-friendly format.
Public Key Encryption: Understand how Sealed Secrets leverages public key encryption to ensure that only your target cluster can decrypt and utilize the secrets
The Future of Kubernetes Deployments
- Emerging Trends: Get a glimpse into the future of Kubernetes deployments, including the evolution of GitOps, new security paradigms, and the latest tools on the horizon.
This blog aims to provide you with a comprehensive understanding of these powerful Kubernetes tools, offering the knowledge and expertise you need to optimize your Kubernetes deployments, enhance security, and stay ahead in the ever-changing world of DevOps. Get ready to embark on a deep dive into the world of ArgoCD and Sealed Secrets.