Kubernetes and Sealed Secrets (Kubernetes)
PROBLEM: I would like to share my secrets to git
SOLUTION: Use the Sealed Secretes
(Installing kubeseal)
Kubeseal is the CLI tool to manage sealed secret, is you are using macOS, you should use brew:
1 |
brew install kubeseal |
On (ubuntu based) linux you should be fine using:
1 2 |
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.6/kubeseal-linux-amd64 -O kubeseal sudo install -m 755 kubeseal /usr/local/bin/kubeseal && rm kubeseal |
Creating a secret
There are different ways how to create a secret, I am using direct input (–from-literal) or direct YAML efinition. I will show both.
Let’s assume I am deploying some application which will be connected to my GitLab so I need to share a secret key (gitlab_secret). The original secret should look like this (please note I prefer YAML over JSON):
1 2 3 4 5 6 7 8 9 10 |
apiVersion: v1 data: gitlab_secret: QUIxMjM0NTY= kind: Secret metadata: labels: app: gitlab_app name: my-secret namespace: gitlab type: Opaque |
The value of gitlab_secret is plaintext encoded in BASE64 (AB123456 -> QUIxMjM0NTY=). We can create secret directly using command too:
1 2 |
kubectl create secret generic my-secret --from-literal "gitlab_token=AB123456" \ --dry-run -oyaml |
This will output the secret into our shell.
Sealing the secret
Now we can create sealed secret from the YAML we created using this command (plese note both < and >):
1 |
kubeseal <my-secret.yaml -oyaml >sealed-my-secret.yaml |
or we can extend the command from the above examaple
1 2 |
kubectl create secret generic my-secret --from-literal "gitlab_token=AB123456" \ --dry-run -oyaml | kubeseal -oyaml > sealed-my-secret.yaml |
sealed-my-secret.yaml is the file with sealed secret we wanted. This file can be securely uploaded to (publi) git repo
The file could look like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: creationTimestamp: null name: my-secret namespace: gitlab spec: encryptedData: gitlab_secret: AgCpldumCtjMJpSEn1n20QGcN5SDbt74Pp2gG9p6S6w71Nf9of2+9Db/Wvap1q6D8tsFrFA35mJgaU8ftb7Q+2JRA9uSHphovOCB//MkR6ro5xlEzMvNHTjOVJ/0KmWa9D5lBBZm6nLQIETvqathcrXuTUPdFtEYlnZp2cT8wEYzAqtKmlshzl/rpWE93m+H73mlF4Zd0P9+MPG1J5WqAhIzquRzrFiqUneoh2Vw+zRgYUKKLW2Nlfes/hD1Nxex3ptRujihbXpYeqjgqP1puZpWWTNeTsjfbaaTU63mphe7TfrHGbiNTgmJwmeGIP6oPFUYRcNS3AgHUMgcaCvoS4S8QlR8XTzdWkSoZzPSiFyqWxTq02R8xw7fwZkvPH5jiCslqoJ0gQUzGYgIqTWDDwwYnzmT76jHH/j/xzneWiLI697A+eNxzgc4jjklu0Qy1+jQjXaJaGJgumjOXgaCUd505Y12EWI2vaTX1Rju0YFmdUwVaIAVdeUQiOY9FIS39Nkz7+yfAFqmc55MjmRJQYXqa7EWD1pfajjEJ2BUogKR8KBjVh13oYG/twTB0yCsSuV40TkL/LjeubXnrNQSUXsUjjKV3DIXvU6lbTvL1I4QYP3Yf6DkucX/e3Ad/GN+k4UxuE5rtAudU6HWMbaEPBCfnBR5M8pXSncK8RlPumnSSFlZlguu/R7VAguxWXHzCB08hmZN1uUSZ8xtlA/Mu1TkcuQitbw== template: metadata: creationTimestamp: null labels: app: gitlab_app name: my-secret namespace: gitlab type: Opaque status: {} |