Use sealed secrets in crossplane(kubernetes) manifests

[Sir-gits-a-lot]

I am working on crossplane composition to provision a cluster and install argocd in it. To configure argocd to monitor my private git repository I need to create a secret in that cluster? Here, I want to use sealed secrets. But I don't understand how I can create a sealed secret using kubeseal if the cluster itself isn't created by me? Since the cluster itself is created by me I cannot use kubeseal in that cluster to create the sealed secrets manifest.

How do I automate this flow?

[hopkinsjason]

Old issue, but one I've recently faced. If the control plane cluster has the sealed secret tls certificate that's been used to seal your secrets, you can copy the certificate from the control plane to the target cluster using the kubernetes crossplane provider.

I used a Composition to create a cluster, configure the helm provider, install sealed secrets using helm and configure the crossplane Kubernetes provider then copy the sealed secret certificate like this:

...
...
    - name: sealed-secret-certificate
      base:
        apiVersion: kubernetes.crossplane.io/v1alpha1
        kind: Object
        spec:
          forProvider:
            manifest:
              apiVersion: v1
              kind: Secret
              type: kubernetes.io/tls
              metadata:
                name: <your_name>
                namespace: kube-system
                labels:
                  sealedsecrets.bitnami.com/sealed-secrets-key: active
              data:
                tls.crt: public-key
                tls.key: private-key
          references:
          - patchesFrom:
              apiVersion: v1
              kind: Secret
              namespace: kube-system
              name: <your_controlplane_tls_secret_name>
              fieldPath: data['tls.crt']
            toFieldPath: data['tls.crt']
          - patchesFrom:
              apiVersion: v1
              kind: Secret
              namespace: kube-system
              name: <your_controlplane_tls_secret_name>
              fieldPath: data['tls.key']
            toFieldPath: data['tls.key']
      patches:
      - fromFieldPath: spec.id
        toFieldPath: spec.providerConfigRef.name
      - fromFieldPath: spec.id
        toFieldPath: metadata.name
        transforms:
          - type: string
            string:
              fmt: "%s-sealed-secret-certificate"
...
...

Note the namespace - this needs to be the same namespace that sealed secrets was installed to.

I then used the kuberetes provider to install a sealed secret (in this case github credentials for argo)

...
...
    - name: github-credentials
      base:
        apiVersion: kubernetes.crossplane.io/v1alpha1
        kind: Object
        metadata:
          name: github-access
        spec:
          forProvider:
            manifest:
              apiVersion: bitnami.com/v1alpha1
              kind: SealedSecret
              metadata:
                creationTimestamp: null
                name: github-access
                namespace: argocd
              spec:
                encryptedData:
                  password: <encrypted_data>
                  type: <encrypted_data>
                  url: <encrypted_data>
                  username: <encrypted_data>
                template:
                  metadata:
                    creationTimestamp: null
                    labels:
                      argocd.argoproj.io/secret-type: repo-creds
                    name: github-access
                    namespace: argocd
      patches:
        - fromFieldPath: spec.id
          toFieldPath: metadata.name
          transforms:
            - type: string
              string:
                fmt: "%s-github-creds"
        - fromFieldPath: spec.id
          toFieldPath: spec.providerConfigRef.name
...
...