Skip to content

Instantly share code, notes, and snippets.

@schmiddim

schmiddim/foo.md

Last active November 3, 2021 18:42
Show Gist options
  • Save schmiddim/1debad310f6ae146786ee231607d9b5f to your computer and use it in GitHub Desktop.
Save schmiddim/1debad310f6ae146786ee231607d9b5f to your computer and use it in GitHub Desktop.
Download ZIP
SealedSecrets.md
Raw
foo.md

Sealed Secrets

Installation

Setup k8

helm upgrade --install sealed-secrets --namespace kube-system --version 1.16.1 sealed-secrets/sealed-secrets

Binary for Encryption

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.16.0/kubeseal-linux-amd64 -O kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

Usage

  1. Get the PEM for signing secrets - we will use this to sign the secrets
kubeseal  --controller-name=sealed-secrets  --controller-namespace=kube-system  --fetch-cert > /tmp/mycert.pem
  1. Echo a simple K8 secret
kubectl create secret generic secret-name --dry-run  --from-literal=foo=bar -oyaml
  1. Create and sign the secret - check the yaml output!
kubectl create secret generic secret-name --dry-run=client  --from-literal=foo=bar -oyaml| \
 kubeseal --controller=sealed-secrets --controller-namespace=kube-system --format yaml --cert mycert.pem  
 > my-super-encrypted-secret.yaml

  1. Apply secret kubectl create -f my-super-encrypted-secret.yaml

  2. Test if it decrypts

kubectl get secret secret-name -ojsonpath='{.data.foo}'|base64 -d
@schmiddim
Copy link
Author

Bonus: https://github.com/Jaydee94/kubeseal-webgui

@schmiddim
Copy link
Author

@todo backup keys

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment