Skip to content

Kubeseal

Kubeseal is a Kubernetes controller and tool for one-way encrypted Secrets.

Getting Started

Installation

Client side

Use kubeseal.sh script.

Cluster side

Install SealedSecret CRD, server-side controller into kube-system namespace.

$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/$KUBESEAL_VERSION/controller.yaml

NOTE: If you can't (or don't want) to use the kube-system namespace, please consider this approach

NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please read this

NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets the update of the helm chart might not happen in sync with releases here.

Sealed Secrets

  • create working directory
mkdir -p sealed-secrets
cd sealed-secrets
  • create base directory
mkdir -p base
  • create base/kustomization.yaml file
vi base/kustomization.yaml
  • test kustomize
kustomize build base
  • download sealed-secrets controller
export URL=https://github.com/bitnami-labs/sealed-secrets/releases/
export URL=${URL}/download/v0.14.1/controller.yaml
wget ${URL} -O base/controller.yaml
  • check base/controller.yaml file
vi base/controller.yaml
kustomize build base
  • update base/kustomization.yaml file
vi base/kustomization.yaml
kustomize build base
  • apply kustomize output
kustomize build base | kubectl apply --filename -
  • get pods
kubectl get all -n sealed secrets
kubectl get all -n sealed-secrets
kubectl get pod -n sealed secrets
  • get ingress
kubectl get ingresses -A
kubectl -n sealed-secrets get ingresses
kubectl --namespace argo get ingresses
kubectl --namespace sealed-secrets get ingresses
  • get namespaces
kubectl get namespaces
  • create test-secrets namespace
kubectl create namespace test-secrets
  • try to simulate create secret
kubectl --namespace test-secrets create secret generic mysecret \
--dry-run=client --from-literal foo=bar --output json
  • pipe the simulation result to kubeseal
kubectl --namespace test-secrets create secret generic mysecret \
--dry-run=client --from-literal foo=bar --output json | kubeseal \
--controller-namespace=sealed-secrets
  • pipe the simulation result to kubeseal with yaml format
kubectl --namespace test-secrets create secret generic mysecret \
--dry-run=client --from-literal foo=bar --output json | kubeseal \
--controller-namespace=sealed-secrets -o yaml
  • pipe the kubeseal output to mysecret.yaml
kubectl --namespace test-secrets create secret generic mysecret \
--dry-run=client --from-literal foo=bar --output json | kubeseal \
--controller-namespace=sealed-secrets -o yaml | tee mysecret.yaml
  • try to simulate to create resource using mysecret.yaml
kubectl create --filename mysecret.yaml --dry-run=client
  • create resource using mysecret.yaml
kubectl create --filename mysecret.yaml
  • get sealedsecrets resource
kubectl -n test-secrets get sealedsecrets.bitnami.com
  • get sealedsecrets resource mysecret
kubectl -n test-secrets get sealedsecrets.bitnami.com mysecret
  • output sealedsecrets resource mysecret in yaml format
kubectl -n test-secrets get sealedsecrets.bitnami.com mysecret -o yaml
  • output sealedsecrets resource mysecret in json format
kubectl -n test-secrets get sealedsecrets.bitnami.com mysecret -o json
  • get secrets resource
kubectl -n test-secrets get secrets
  • output secrets resource mysecret in yaml format
kubectl -n test-secrets get secrets mysecret --output yaml
  • output a value from secrets resource mysecret in jsonpath format
kubectl -n test-secrets get secrets mysecret \
--output jsonpath="{.data.foo}"
  • decode base64 a value from secrets resource mysecret in jsonpath format
kubectl -n test-secrets get secrets mysecret \
--output jsonpath="{.data.foo}" | base64 --decode && echo
  • fetch sealed-secrets controller certificate
kubeseal --controller-namespace=sealed-secrets --fetch-cert