Sealed Secrets is composed of two parts:
- A cluster-side controller / operator(oke-day2 included)
- A client-side utility: kubeseal
The kubeseal utility uses asymmetric crypto to encrypt secrets that only the controller can decrypt.
- Install
kubeseal
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.14.1/kubeseal-linux-amd64 -O kubeseal
chmod +x kubeseal
- At startup, the sealed-secrets controller generates a 4096-bit RSA key pair and persists the private and public keys as Kubernetes secrets in the flux-system namespace. The public key can be safely stored in Git, and can be used to encrypt secrets without direct access to the Kubernetes cluster.
You can retrieve the public key with:
./kubeseal --fetch-cert \
--controller-name=sealed-secrets \
--controller-namespace=flux-system \
> pub-sealed-secrets.pem
- Observe the public key
cat pub-sealed-secrets.pem
- Generate a Kubernetes secret manifest
kubectl -n default create secret generic basic-auth \
--from-literal=user=admin \
--from-literal=password=change-me \
--dry-run \
-o yaml > basic-auth.yaml
- Observe secret manifest
cat basic-auth.yaml
- Encrypt the secret with kubeseal
./kubeseal --format=yaml --cert=pub-sealed-secrets.pem \
< basic-auth.yaml > basic-auth-sealed.yaml
- Observe and copy encrypted secret
cat basic-auth-sealed.yaml
-
Commit the manifests
basic-auth-sealed.yamlto a Git repository- Open
oracle-gitops-workshoprepository in your GitHub webpage - Go to
clusters/default/flux-system/directory - Сlick on
Add file->Create new file - Fill filename
basic-auth-sealed.yamltoName your file...field - Copy & Paste
basic-auth-sealed.yamlcontent to text area and click onCommit changes
- Open
-
Observe the secret manifest decrypted inside kubernetes
- Go to
http://instanceIp:30000 - Click on
Secrets - Click on
basic-auth - Click
passwordandusereye to see real values
- Go to