Sealed Secrets
Encrypt your Secret
using the custom resource definition SealedSecret
manifest kind, which is safe to store - even to a public repository or a deployment pipeline.
The SealedSecret
can be decrypted only by the h8lio cluster and nobody else (not even the original author) is able to obtain the original Secret
from the SealedSecret
.
This feature is in early access (alpha). Let us know your feedback
References
- Bitnami Sealed Secret project
Prerequisites
- A cluster (Kubernetes namespace) in which you want to create a sealed secrets (
my-cluster
in this documentation) kubectl
configured on the above cluster
Installation
We need to install the kubeseal
client to be able to generate the SealedSecret
.
Refers to the documentation for the installation options
On Linux AMD 64bit architecture (check for the latest release):
Usage
In this following example, we are going to create a portable SealedSecret
to be used as a MySQL password.
- Creates a
password.txt
file including our secrets as key-value pairs:
password.txt:
- Generates the
Secret
namedmy-secret
inmy-cluster
from ourpassword.txt
and sealed it with thekubeseal
client to amy-secret.yaml
file:
Pay attention to the kubeseal
argument --cert https://kube.h8l.io/v1/cert.pem
which points to the public certificate used to seal the secret (see the documentation).
To generate a certificate Secret
replace the --from-file
argument value password.txt
by a .crt
file.
my-secret.yaml:
Note: it is not possible to deploy the generated
SealedSecret
manifestmy-secret.yaml
to another cluster than the one specified at its creation time
- Apply the
SealedSecret
manifest to your cluster:
- Check the
SealedSecret
has been correctly deployed:
Checks the events and status from the above command output result.
- Check if the unsealed
Secret
has successfully been created:
output:
- Use the
my-secret
Secret
within pods (or template) as same as a directly generated secrets…