PROBLEM: I would like to share my secrets to git
SOLUTION: Use the Sealed Secretes
(Installing kubeseal)
Kubeseal is the CLI tool to manage sealed secret, is you are using macOS, you should use brew:
brew install kubeseal
On (ubuntu based) linux you should be fine using:
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.6/kubeseal-linux-amd64 -O kubeseal sudo install -m 755 kubeseal /usr/local/bin/kubeseal && rm kubeseal
Creating a secret
There are different ways how to create a secret, I am using direct input (–from-literal) or direct YAML efinition. I will show both.
Let’s assume I am deploying some application which will be connected to my GitLab so I need to share a secret key (gitlab_secret). The original secret should look like this (please note I prefer YAML over JSON):
apiVersion: v1
data:
gitlab_secret: QUIxMjM0NTY=
kind: Secret
metadata:
labels:
app: gitlab_app
name: my-secret
namespace: gitlab
type: Opaque
The value of gitlab_secret is plaintext encoded in BASE64 (AB123456 -> QUIxMjM0NTY=). We can create secret directly using command too:
kubectl create secret generic my-secret --from-literal "gitlab_token=AB123456" \ --dry-run -oyaml
This will output the secret into our shell.
Sealing the secret
Now we can create sealed secret from the YAML we created using this command (plese note both < and >):
kubesealsealed-my-secret.yaml
or we can extend the command from the above examaple
kubectl create secret generic my-secret --from-literal "gitlab_token=AB123456" \ --dry-run -oyaml | kubeseal -oyaml > sealed-my-secret.yaml
sealed-my-secret.yaml is the file with sealed secret we wanted. This file can be securely uploaded to (publi) git repo
The file could look like this:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: my-secret
namespace: gitlab
spec:
encryptedData:
gitlab_secret: AgCpldumCtjMJpSEn1n20QGcN5SDbt74Pp2gG9p6S6w71Nf9of2+9Db/Wvap1q6D8tsFrFA35mJgaU8ftb7Q+2JRA9uSHphovOCB//MkR6ro5xlEzMvNHTjOVJ/0KmWa9D5lBBZm6nLQIETvqathcrXuTUPdFtEYlnZp2cT8wEYzAqtKmlshzl/rpWE93m+H73mlF4Zd0P9+MPG1J5WqAhIzquRzrFiqUneoh2Vw+zRgYUKKLW2Nlfes/hD1Nxex3ptRujihbXpYeqjgqP1puZpWWTNeTsjfbaaTU63mphe7TfrHGbiNTgmJwmeGIP6oPFUYRcNS3AgHUMgcaCvoS4S8QlR8XTzdWkSoZzPSiFyqWxTq02R8xw7fwZkvPH5jiCslqoJ0gQUzGYgIqTWDDwwYnzmT76jHH/j/xzneWiLI697A+eNxzgc4jjklu0Qy1+jQjXaJaGJgumjOXgaCUd505Y12EWI2vaTX1Rju0YFmdUwVaIAVdeUQiOY9FIS39Nkz7+yfAFqmc55MjmRJQYXqa7EWD1pfajjEJ2BUogKR8KBjVh13oYG/twTB0yCsSuV40TkL/LjeubXnrNQSUXsUjjKV3DIXvU6lbTvL1I4QYP3Yf6DkucX/e3Ad/GN+k4UxuE5rtAudU6HWMbaEPBCfnBR5M8pXSncK8RlPumnSSFlZlguu/R7VAguxWXHzCB08hmZN1uUSZ8xtlA/Mu1TkcuQitbw==
template:
metadata:
creationTimestamp: null
labels:
app: gitlab_app
name: my-secret
namespace: gitlab
type: Opaque
status: {}