Sealed Secrets
Sealed Secrets
Docs
It consists of two parts::
- Server part, the controller/operator
- Client
kubeseal
To install the controller look for the sealed-secrets-vX.X.X
here, don’t use the helms, look for the release with that name.
In that release there is a controller.yaml
you have to apply it in the corresponding cluster.
kubectl apply -f controller.yaml
This will be installed into ns kube-system
To install the client on your machine (use the version that appears in the release):
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/<release-tag>/kubeseal-<version>-linux-amd64.tar.gz
tar -xvzf kubeseal-<version>-linux-amd64.tar.gz kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal
Usage
In order to use the kubeseal we would have to have access to the Kube API, instead of giving you access to this what we can do is download the public key of the Sealed Secrets driver we installed earlier.
kubeseal --fetch-cert > sealed-secrets.pub.pem
( be aware of the context we are using for kubectl in the case of having several ).
Once installed we can use kubeseal. First we create a secret, Important! set the namespace in which we want to use the secret.
echo "very secret" |kubectl create secret generic my-secret -n nombre_de_namespace --dry-run=client --type=Opaque --from-file=token=/dev/stdin -o yaml > my-secret.yaml
Once created the generic secret we pass it through kubeseal.
kubeseal --format=yaml --cert=sealed-secrets.pub.pem < my-secret.yaml > my-secret-sealed.yaml