Skip to content

Sealed Secrets

Regular secrets that are encrypted with key from sealed secrets kubernetes controller.

Install kubeseal | client

wget https://github.com/bitnami-labs/sealed-secrets/releases/download//kubeseal--linux-amd64.tar.gz

Bash
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.5/kubeseal-0.24.5-linux-amd64.tar.gz
Bash
tar -xvzf kubeseal-0.24.5-linux-amd64.tar.gz kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

Install kubeseal controller

  • Helm
Bash
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm dependency update sealed-secrets
helm install sealed-secrets sealed-secrets/sealed-secrets --namespace kube-system --version 2.7.4
  • Kubectl
Bash
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.5/controller.yaml
kubectl apply -f controller.yaml

Usage

  • Regular secret (do not apply):
YAML
apiVersion: v1
kind: Secret
metadata:
  creationTimestamp: null
  name: test-secret
  namespace: default
data:
  password: Tk9QQVNTV0QK       # base64 encoded NOPASSWD
  username: SWFtUm9vdAo=       # base64 encoded IamRoot
  • Fetch key
Bash
kubeseal --fetch-cert > seal.pem
  • Seal a secret
Bash
kubeseal --format=yaml --cert=seal.pem < test-secret.yaml > sealed-secret.yaml
  • Apply
Bash
kubectl apply -f sealed-secret.yaml

Bash
cat sealed-secret.yaml
YAML
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: test-secret
  namespace: default
spec:
  encryptedData:
    password: AgBMh6gQcudXysXPw6CJU4TVvK+XxPIbUNWq8FTmoZZT8DX0DQRgje1dfrvwxvnnNNxWEUQWEwOwKp/lAuBEtFphH0FZbgruZFoMVm18Xq/Bb7NFvMaYnQi+duwGrO3ul2vdvq9rUKMu04tUPIr4/k5D60+qKJ/wOXsjdpSLAIsVjVGy46TnxJ02q5eZcOqrWwiytIYXJ7Q073ulang+7QU45gp2LP3ocRA0Ny+CKyZqsXgIakqcPLnhaQb/aPRT4e7YwBVnxmqSLoq+AzfVTAnyM+Eow8lD/SIgRcosX8zMjzj5r1nl2oP/WvwB6UTesnTt+lpx4HPVMIG1uPuJhyCjQctKxzx04UcEBq7ocSylF48Mmx7ZtBhQHKCwQQ5hn+OYbVgZ4+0rMmznzfNkETsmXlVE6jAyNhSohp8iCcWABUAKo5nGQqFxsDLc89BQeCuSJN2mIRdZgiEXFLDUdL8fT/IiwtbFa4NhS6aV7QqsaWzngwHMuwqWHg1uIeK7fNO+6iHiblhlknDUvwHYfjZtff4CiDjk5wLCCtOtuRc7TQqCE2GvzxHbMOCQWtnKYlUeRnXt8b8MpuM/Q3unXDgDeonXAYUtp825J1zVBWByWPMs3noQGBSNTpW7tBsgUESyHWYIV734j+ACOCSecZ+1IRZfX7m14jjm2EldWupXrttzRxde/uDgckQM2ymXILSBfIaOEsWsg2s=
    username: AgBWQlxJ3YzsDVqPZcdpZVHL1EYaePb1IvdYoh50sLlYSxFNFR11WLhZ33tBjZHPTe90gxLYKhCZfiGp2NMLubqEc46UGsYvzeOhrbtGKChynX3MHx/PORKp9MODwGPeC2ysGH62T7HyRp2rJcSoOq7iSI84iprkwYF6e95bOYUAVlYzJhFQKggeGTVKtNe55dpIm/C++HMcCGjFFkcRFGA8l20UPM88vCjHdRldG5kzaWz7ApqOEAKDDIpJRXpTU9+qXH/OUkh9IJ12OGoZ79mzm2YDE26mf2dkc3I/EtLZZO64PQbWV8koWVKD2buQ69XxzFaXj+MLgVs2Sa8g68B67IwTUZwJxbl+2Frq6wRzKZ5mkF4F9XPH8wQcCVrlA589mlI7wOnW3PhB0QD+Bhuz0P5nAN9ed0VXCWm2TOot+aKevKzryWLV1cHV8osDBsnI0M1AnlqrsYtjp1+uS+pCWCdz+V2nipDChkneJbsTupukkFrpQKfgpJB1QmXckaywU+c3Cl9ewxaDsIdQjXtEYid6ADYNO585gLokgswogL9KLXjhRF6yGAbmdvSZeh74UBzEOccZ9CkDqlTLhULL6/GroI8GGYkZipiGNRKGG7EqEIsV/N76M2MwcAY9O0SALmOhr7vIery8XpMIoSsiEHYHSdUCj7HCoVS01uNoiliGqOHP/FGbArDWfx3K5lwGrSAu4kKQGg==
  template:
    metadata:
      creationTimestamp: null
      name: test-secret
      namespace: default