NAME: sealed-secret LAST DEPLOYED: Wed Oct 21 11:45:43 2020 NAMESPACE: kube-system STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: You should now be able to create sealed secrets.
- Install client-side tool into /usr/local/bin/
GOOS=$(go env GOOS) GOARCH=$(go env GOARCH) wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.12.4/kubeseal-$GOOS-$GOARCH sudo install -m 755 kubeseal-$GOOS-$GOARCH /usr/local/bin/kubeseal
- Create a sealed secret file
kubectl create secret generic secret-name --dry-run --from-literal=foo=bar -o [json|yaml] |
kubeseal
--controller-name=sealed-secret-sealed-secrets
--controller-namespace=kube-system
--format [json|yaml] > mysealedsecret.[json|yaml]
The file mysealedsecret.[json|yaml] is a commitable file.
If you would rather not need access to the cluster to generate the sealed secret you can run
kubeseal
--controller-name=sealed-secret-sealed-secrets
--controller-namespace=kube-system
--fetch-cert > mycert.pem
to retrieve the public cert used for encryption and store it locally. You can then run 'kubeseal --cert mycert.pem' instead to use the local cert e.g.
kubectl create secret generic secret-name --dry-run --from-literal=foo=bar -o [json|yaml] |
kubeseal
--controller-name=sealed-secret-sealed-secrets
--controller-namespace=kube-system
--format [json|yaml] --cert mycert.pem > mysealedsecret.[json|yaml]
- Apply the sealed secret
kubectl create -f mysealedsecret.[json|yaml]
Running 'kubectl get secret secret-name -o [json|yaml]' will show the decrypted secret that was generated from the sealed secret.
Both the SealedSecret and generated Secret must have the same name and namespace.