Skip to content

Sealed Secrets

It goes without saying that one should NEVER commit actual plaintext secrets to the version control like git!

Sealed secrets is a tool that enables you to safely commit encrypted secrets to git and takes care of encrypting and decrypting the plaintext via Kubernetes custom resources and a controller inside the cluster.

Installation

Sealed secrets needs a CLI tool called kubeseal installed on your local machine. For instructions how to install kubeseal for your operating system, please see the official GitHub repository: https://github.com/bitnami-labs/sealed-secrets, where you can also find information on the inner workings of kubeseal and sealed secrets.

Sealing a secret

First create a secret locally, e.g. by running

 oc create secret generic mysecret \
   --from-literal=password=XXXX \
   --dry-run=client -o yaml \
   > secret-base-for-sealing.yaml

After that you can seal a local secret with kubeseal:

kubeseal \
  --controller-namespace=sealed-secrets-controller \
  --controller-name=sealed-secrets \
  --format yaml \
  --namespace <NAMESPACE> \
  < secret-base-for-sealing.yaml > sealed-secret.yaml

The sealed-secret.yaml can then be pushed into the Git repository.

The controller inside the cluster will turn the sealed secret into a secret, so you can use your secret as you would normally.