Sealed Secrets
Encrypt your Secret
using the custom resource definition SealedSecret
manifest kind, which is safe to store - even to a public repository or a deployment pipeline.
The SealedSecret
can be decrypted only by the h8lio cluster and nobody else (not even the original author) is able to obtain the original Secret
from the SealedSecret
.
This feature is in early access (alpha). Let us know your feedback
References
- Bitnami Sealed Secret project
Prerequisites
- A cluster (Kubernetes namespace) in which you want to create a sealed secrets (
my-cluster
in this documentation) kubectl
configured on the above cluster
Installation
We need to install the kubeseal
client to be able to generate the SealedSecret
.
Refers to the documentation for the installation options
On Linux AMD 64bit architecture (check for the latest release):
KSV=0.17.4
wget -qO- https://github.com/bitnami-labs/sealed-secrets/releases/download/v$KSV/kubeseal-$KSV-linux-amd64.tar.gz | tar xzvf -
chmod 755 kubeseal
mv kubeseal /usr/local/bin
kubeseal --help
Usage
In this following example, we are going to create a portable SealedSecret
to be used as a MySQL password.
- Creates a
password.txt
file including our secrets as key-value pairs:
echo "MYSQL_PASSWORD=test_password" > password.txt
password.txt:
MYSQL_PASSWORD=test_password
- Generates the
Secret
namedmy-secret
inmy-cluster
from ourpassword.txt
and sealed it with thekubeseal
client to amy-secret.yaml
file:
kubectl create secret generic my-secret -n my-cluster --from-file=password.txt --dry-run=client -o yaml \
| kubeseal -o yaml --cert https://kube.h8l.io/v1/cert.pem > my-secret.yaml
Pay attention to the kubeseal
argument --cert https://kube.h8l.io/v1/cert.pem
which points to the public certificate used to seal the secret (see the documentation).
To generate a certificate Secret
replace the --from-file
argument value password.txt
by a .crt
file.
my-secret.yaml:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: my-secret
namespace: my-cluster
spec:
encryptedData:
password.txt: AgCw0lzghJuO94okBA/zWSH+aBl4mVrdpIk+cm8Q8yXkqFvUIBgQLr5rQBs7neZZyDH8yR/mp71H62xXSELGtv7WQXNk7J6lt1sqp7+zFFgpbXVnDFFCgXGreMuMUt34RJaP1bsZ0u6xXsHZywqcrWVfWdW8Ik/kCJh00bkRRYD1fSvmw537WQ0Af2XVlIJlRE+zjgbk99MiRXTDu0N9CRb3ZAXEAnpT8y7nH7ECv3o78wuo46QATuB1YvAk5EDfgdq62BvEgDgWbcVGHX67gXZJ2W3rcRqydwspo9R+H0w2wCrbzWsD8d5I2NNnZ8YyHh94tP1DeAtaDVj9KjA4F8qb8egq3w97WSpXStM8QH7+J/t/FB2rGxAOqygugmvZHnOVkVlrAQBCpkQy1AMXwQ665ixCs4iFtFZgwf4JJyCaAVUBO8Q3EyxVTkfb2NOqvVXfkJeMSWGXuhcAebtJ3r+P94U2XzVaOCmZuYDOfuen5hQOmXRJQJnLD0TqYYL/o6KJHFbKCtjJr1zIsp8y/f/MnIz5oVuNxHt77ALzP+Z+2rHrvBQGcqSgxlPlyKpARm0j197M8fuYzL+D1OZdJCBizglBgzbtk7oXQvNaoYWPm1KmpIuZklBWK12Bs9LuWoFq6h2wcZ/0f1I4AJna04dEcE0v5nYKv4P0gtKfEbyZKNe1g9o/UEW18uzCOjx/3Kh68ORBVzpXiGDNEZASC5pE/xYlpd8+lsKdygUkmfM=
template:
data: null
metadata:
creationTimestamp: null
name: my-secret
namespace: my-cluster
Note: it is not possible to deploy the generated
SealedSecret
manifestmy-secret.yaml
to another cluster than the one specified at its creation time
- Apply the
SealedSecret
manifest to your cluster:
kubectl apply -f my-secret.yaml
- Check the
SealedSecret
has been correctly deployed:
kubectl -n my-cluster get sealedsecrets.bitnami.com
NAME AGE
my-secret 1m
kubectl -n my-cluster describe sealedsecrets.bitnami.com my-secret
Checks the events and status from the above command output result.
- Check if the unsealed
Secret
has successfully been created:
kubectl -n my-cluster get secrets
output:
NAME AGE
my-secret 1m
- Use the
my-secret
Secret
within pods (or template) as same as a directly generated secrets…