App Dev Best Practices kubernetes Modernization Best Practices open source security Tanzu Application Catalog

Elevate the Security of Your Kubernetes Secrets with VMware Application Catalog and Sealed Secrets

Alfredo García, manager R&D, VMware contributed to this blog post.

VMware Application Catalog now includes enterprise support for Sealed Secrets, enabling customers to add an asymmetric cryptography-based protection to their Kubernetes Secrets stored in shared repositories.

What problem does VMware Application Catalog solve?

The increased adoption of open source software (OSS) by enterprises has led to a disconnect of sorts between development and platform engineering teams. As developers seek the flexibility and versatility offered by OSS, they tend to independently pull OSS components from multiple unreliable, non-trusted sources. This creates a problem for platform engineering teams who require adequate control over the consumption of OSS by their development teams to ensure secure and compliant OSS adoption.

VMware Application Catalog addresses this problem by enabling platform engineers to deliver a curated catalog of ready-to-use, production-grade, continuously maintained OSS images to their developers. Developers can enjoy seamless access to the OSS they need, and platform engineers gain complete control and visibility into their development teams’ OSS usage. VMware Application Catalog enables enterprises to adopt OSS in a secure, sustainable and compliant manner.

What are Sealed Secrets and what problem do they solve?

As enterprises continue to adopt Kubernetes as the preferred application development and IT infrastructure platform, platform engineering and site reliability engineering teams are increasingly adopting a GitOps mindset where infrastructure configuration is managed as code. Infrastructure as code invariably means that configurations of all Kubernetes clusters are managed in a shared Git repository, where all automated tests are run, and peer code reviews are performed; and all changes are automatically pushed to the cluster from the main branch, while a version control system continuously keeps track of all operations performed and maintains the sanctity of the infrastructure. So, in short, shared Git repositories form the backbone of most modern IT infrastructure platforms.

But what about sensitive objects like database passwords, OAuth tokens, SSH keys or Slack tokens that are typically stored as Secrets. How can these be safely stored in shared or public Git repositories?

Enter Sealed Secrets, which is a popular open source project led by the VMware Bitnami team, and has registered over 700 million pulls in Docker Hub and over 200 million pulls in June 2023 alone. Sealed Secrets are one-way encrypted secrets that can be created by anyone but can be decrypted only by the controller running in the target cluster, which makes them safe to share publicly and upload to Git. Once a secret stored in a shared or public Git repository gets encrypted as a Sealed Secret and is uploaded to the target Kubernetes cluster, it remains fully safe and secure. Only the Sealed Secrets controller will be able to decrypt it with the private sealing key and recover the original secret, thus protecting sensitive data while still having them within shared repositories.

Sealed Secrets has long been available as a container image and Helm chart in VMware Application Catalog.

Key use cases of Sealed Secrets

Enterprises can benefit immensely from Sealed Secrets, as it helps with the following key platform administration and site reliability use cases.

Implement a GitOps flow for Kubernetes Secrets 

Enabling users to store Kubernetes secret configurations in Git is the core objective behind the development of Sealed Secrets. This is made easier by the provisions that come along with Sealed Secrets for seamless integration with popular GitOps tools such as ArgoCD or Flux CD. So enterprises can integrate Sealed Secrets with their own continuous delivery pipelines and derive value quickly and easily.

Avoid accidental exposure of secrets 

Helm charts usually generate secret templates using plain text values that can potentially lead to the leakage of credentials and other sensitive information. Sealed Secrets solves this problem by generating these secret templates as encrypted Kubernetes secrets which can be safely shared and stored in a Git repository without exposing any sensitive data.

Integrate easily with existing VMware Application Catalog applications 

All Helm charts in VMware Application Catalog include a configuration parameter called existingSecret. This parameter allows users to leverage pre-existing secrets in the values. By utilizing this documented feature, users can deploy any Helm chart from VMware Application Catalog in combination with Sealed Secrets, ensuring that no sensitive information is exposed in the Helm configurations.

VMware Application Catalog announces support for Sealed Secrets

VMware Application Catalog contains over 140 widely used OSS application components, including Sealed Secrets. A VMware Application Catalog subscription now includes VMware enterprise support for Sealed Secrets, meaning that the customers of VMware Application Catalog are entitled to receive technical support from VMware for any issue they face regarding usage of Sealed Secrets. VMware Application Catalog will also be the only channel where one can avail enterprise support for Sealed Secrets.

With this announcement, we aim to deliver added value to the customers of VMware Application Catalog by placing them within easy reach of a reliable and popular tool to secure their Kubernetes Secrets and better control their Kubernetes deployments. To learn how to deploy Sealed Secrets from VMware Application Catalog, please make sure to go through this Tanzu Developer Center blog.

If you are looking for additional resources to learn more about VMware Application Catalog, please visit the product webpageresources, and technical documentation. To get your queries on Sealed Secrets and VMware Application Catalog answered by our experts, please write to us directly and our team will get in touch with you soon!