Skip to content

Instantly share code, notes, and snippets.

@morrismusumi

morrismusumi/Sealed Secrets.md

Last active November 27, 2023 23:17
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save morrismusumi/1e57c37d5e3675bcf0ea4a4a67b3301e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save morrismusumi/1e57c37d5e3675bcf0ea4a4a67b3301e to your computer and use it in GitHub Desktop.
Download ZIP
Safely Store Your Kubernetes Secrets in a Git Repository
Raw
Sealed Secrets.md

Installation

helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm upgrade —-install sealed-secrets -n kube-system --set-string fullnameOverride=sealed-secrets-controller sealed-secrets/sealed-secrets

## Verify installation
kubectl get pods -n kube-system | grep seal
kubectl get secrets -n kube-system | grep seal

## Kubeseal
brew install kubeseal

Create an example secret manifest

cat <<EOF | kubectl apply -f
apiVersion: v1
metadata:
  name: postgresql-secret
data:
  postgres-password: bXlzZWNyZXRwYXNzd29yZAo=
kind: Secret
type: Opaque
EOF

Create a sealed secret manifest and apply to create the sealed secret and the secret

kubeseal -f postgresql-secret.yml -w postgresql-sealed-secret.yml

kubectl get sealedsecret,secret

Create a sealed secret manifest without a secret file

echo -n secretpassword | kubectl create secret generic mysql-secret —dry-run=client —from-file=mysql-password=/dev/stdin -o yaml | kubeseal -w

Update existing secret

kubectl annotate secret oracle-secret sealedsecrets.bitnami.com/managed=true
kubectl get secret oracle-secret -oyaml | kubeseal -w oracle-sealed-secret.yml
kubectl apply f oracle-sealed-secret.yml

Update selected keys in existing secret

kubectl annotate secret mongodb-secret sealedsecrets.bitnami.com/patch=true
echo -n localhost | kubectl create secret generic mongodb-secret —from-file=mongodb-host=/dev/stdin —dry-run=client -oyaml
-w mongodb-sealed-secret.yml
kubectl apply f mongodb-sealed-secret.yml

## Keeps the secret from being deleted when the sealed secret is deleted
kubectl annotate secret mongodb-secret sealedsecrets.bitnami.com/skip-set-owner-references=true

Update selected keys in existing sealed secret

echo -n 27017 | kubectl create secret generic mongodb-secret -from-file=mongodb-port=/dev/stdin -dry-run=client -oyaml | kubeseal -merge-into mongodb-sealed-secret.yml -o yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment