Skip to content

Latest commit

 

History

History
85 lines (60 loc) · 2.6 KB

kubeseal.md

File metadata and controls

85 lines (60 loc) · 2.6 KB
Raw

How to Use SealedSecrets in Kubernetes

SealedSecrets is a Kubernetes controller and a tool that allows you to encrypt your Secret objects so that you can commit them into a Git repository. Then, on the cluster, the controller decrypts the SealedSecret and creates an actual Secret object.

Here's a detailed step-by-step guide on how to use SealedSecrets:

1. Install the SealedSecrets Controller

Install the SealedSecrets controller into your cluster with the kustomize tool:

kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.22.0/controller.yaml

2. Create a Secret

Create a new Secret in the same cluster:

kubectl create secret generic veryimportant --dry-run=client --from-literal=password=apassword -o yaml > veryimportant.yaml

This will create a file veryimportant.yaml with the following content:

apiVersion: v1
kind: Secret
metadata:
  creationTimestamp: null
  name: veryimportant
stringData:
  password: apassword

3. Encrypt the Secret

Now encrypt it with kubeseal:

kubeseal --format=yaml < veryimportant.yaml > sealedsecret.yaml

The new file sealedsecret.yaml will contain the encrypted Secret:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: veryimportant
  namespace: default
spec:
  encryptedData:
    password: HereComesAVeryLongBase64EncodedStringThatRepresentsTheEncryptedSecret
  template:
    metadata:
      creationTimestamp: null
      name: veryimportant
      namespace: default

You can now commit this file to your Git repository.

Important: never commit plain, unsealed Secret files to your Git repositories. Always ensure sensitive information is securely sealed using kubeseal before committing. Exposing plain Secret files can lead to serious security risks.

4. Apply the SealedSecret

When you want to deploy your application, apply this SealedSecret to your cluster. The SealedSecrets controller will automatically decrypt it and create a Secret:

kubectl apply -f sealedsecret.yaml

You can verify that the Secret has been created:

kubectl get secrets veryimportant

Notes

  • kubeseal and the SealedSecrets controller have to be compatible.
  • If you lose the private key of the SealedSecrets controller, you won't be able to decrypt your SealedSecrets. Always back up this key.

For more information, visit the SealedSecrets GitHub page.