Sealed Secrets

Learn how to securely manage Kubernetes secrets using Sealed Secrets.

Thursday, December 22, 2022

Sealed Secrets decrypts the secret server-side and consists of two components:

A controller running in the cluster that decrypts SealedSecrets and creates the corresponding Secret
A client-side tool that encrypts Secrets and stores them as SealedSecrets

Install Sealed Secrets

To install Sealed Secrets using Helm, run the following commands:

helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm install sealed-secrets --namespace kube-system --version 1.13.2 sealed-secrets/sealed-secrets

Encrypting and Applying Secrets

To encrypt a secret and apply it to your cluster, you can use the following command:

$ cat test.yaml| kubeseal --controller-name sealed-secrets-controller -o yaml | k apply -f -
sealedsecret.bitnami.com/mysecret created

This command will encrypt the contents of test.yaml and create a SealedSecret resource in your cluster.

Creating and Sealing a Secret

To create a new secret and seal it, you can use the following commands:

echo -n "my new password" \
    | kubectl create secret generic xxx --dry-run=client --from-file=password=/dev/stdin -o json \
    | kubeseal --controller-namespace=kube-system --controller-name=sealed-secrets --format yaml --merge-into sealed-secret.yaml
kubectl apply -f sealed-secret.yaml

This sequence of commands will create a new Kubernetes secret with the specified password, seal it using the Sealed Secrets controller, and apply the sealed secret to your cluster.

References

For more detailed information, check out these resources:

Sealed Secrets GitHub Repository