Automating deployments always has friction when it comes to secrets management. GitOps, the Kubernetes way of automating deployments, is driven by changes to files in a Git repository containing all of the manifests. But what about secrets? When it comes to passwords, API keys, certificates, and tokens it’s never a good idea to store them in plain text in Git. So delivery teams have adopted processes outside the pipeline. Some require deploying 3rd party secret stores, integrating with cloud provider solutions, or deploying operators that provide a way to encrypt and decrypt sensitive data.
In Acorn v0.3.0 we have introduced a new feature to encrypt sensitive information directly with Acorn. The encrypted information can only be decrypted by Acorn in the intended Acorn namespace. No additional tooling is needed to safely encrypt data for your application deployments, as always batteries included but swappable.
Acorn encrypted secrets are built around libsodium sealed boxes. This method is the same solution used for GitHub Secrets. Another great benefit of libsodium is the broad support of this encryption library across programming languages, making it easy to script data encryption. Once the plain text is encrypted with the Acorn namespace’s public key it can only be decrypted in that Acorn namespace, even the sender can not decrypt the message.
A single plain text can also be encrypted for multiple targets. This makes it easier to deploy across multiple clusters that might access the same database.
The encrypted text can be passed safely to Acorn apps via the command line, through an Acorn file, or stored in a Kubernetes secret to be bound at runtime.
How it works
Acorn generates a public/private key pair for each Acorn namespace in the cluster. To encrypt data, you will need the public key for each namespace you plan to use. You obtain your Acorn namespace’s public key via the `acorn info` command.
If you just need to encrypt data for the current namespace you execute:
acorn secret encrypt “plain text” # ACORNENC:eyIzclJrRHBGRjlGamhUNHdHVGFJdnc4VTVNWDBwODBlb3NrOHl1NjFGT0FZIjoiZEhmZnZQeXdqM3hEbFVBQlQtclN6QUNZdnpRUHNzX0w1SWFGckJQSUtrcXZaR2FUdDlDNzc5YkxKNEt5UHBxandsLXZIdWxaRWtvSERRIn0
If you have plain text that is used on multiple clusters, you can encrypt in one shot:
acorn secret encrypt --public-key 3rRkDpFF9FjhT4wGTaIvw8U5MX0p80eosk8yu61FOAY --public-key zmm_89JUdfpkJ6S633-hNkeHE2Jc5u9xrmaPZHa0wzM "plain text" # ACORNENC:eyIzclJrRHBGRjlGamhUNHdHVGFJdnc4VTVNWDBwODBlb3NrOHl1NjFGT0FZIjoiUkRkN0g5LUVZekVLeVhid19kYVBadXJpZmR3Unc4aFBjRENxakgyTHF5clhnNG00bHdQWTJ3YkhOQy1MUERyTkRwZGpLYy1idWdpemZBIiwiem1tXzg5SlVkZnBrSjZTNjMzLWhOa2VIRTJKYzV1OXhybWFQWkhhMHd6TSI6IkZWa1kxSDhnOW1meG1GNDBjblpLOFV2eHgwa0JuMEx6RFFzVl8xUlhkMVQ5RzRfRDZqMHJsWmdtVWlVal9kclIwYlB6Vndwb2U5WTRRdyJ9
Now you can use the encrypted value to deliver secrets to your Acorn application.
acorn run db –password ACORNENC:eyIzclJrRHBGRjlGamhUNHdHVGFJdnc4VTVNWDBwODBlb3NrOHl1NjFGT0FZIjoiZEhmZnZQeXdqM3hEbFVBQlQtclN6QUNZdnpRUHNzX0w1SWFGckJQSUtrcXZaR2FUdDlDNzc5YkxKNEt5UHBxandsLXZIdWxaRWtvSERRIn0
To learn more about how to use Acorn encrypted secrets check out the docs.
Acorn encrypted secrets now provides an out of the box solution to allow sensitive data to be passed via automation workflows. Depending on your organization, the encrypted values can be consumed directly in scripts, or integrated into the organizations existing GitOps pipelines.
With Acorn you have multiple options for handling secrets. If you are doing development or test environment deployments you can learn how to use Acorn’s generated secrets in this post. If your organization is already using Vault to manage secrets or you have strict auditing requirements, you can see how to use Acorn with Hashicorp Vaults Agent Injection operator in this post.