Sealed Secrets is a popular tool for managing secrets in Kubernetes clusters.

It is a Kubernetes controller, which enables the encryption / decryption of Kubernetes Secrets, ConfigMaps, and other custom resources.

Sealed Secrets uses asymmetric encryption (private / public key) to encrypt secrets in a way that only authorized parties can decrypt them.

Install

We need kubeseal which is the client CLI

Install it from source or from your favourite package manager.

For me, on arch it is :

1

sudo pacman -Sy kubeseal

More info about installing on the repo.

Setup

You need the save the keys locally.

1

kubeseal --fetch-cert > ~/.ssh/cert.pem

1

 kubectl get secret -n kube-system  sealed-secrets-keyXXXX -o jsonpath="{.data.tls\.key}" | base64 -d

Encrypt

Raw encrypt

1

echo -n PASS | kubeseal --raw --namespace NAMESPACE --name SECRET_NAME --scope strict --cert ~/.ssh/cert.pem

Which will generate some secret like this:

1

CgBgvP87FMyevMZG6MmXqKQNiXFoO4Rd/K+JY0G795pCJRlGZf4FO2aD0Osxd/xynIhJYONTM3LS75r/XFcWGsUPuuGs75B2ylGWXbIcTI5PHfJTpw1B8dbVGxz3REp9eKn45b8rSQXzQBL6hMdDl+c7f/9kUFVg9FY+uTxS0t6czBzfuI9by0VJsdkMJc0V25xWjCV1SsipdUdZ4gQ2YXa6yEkB1mjfwSpFWUit3RVhLXVn9T7diu8dsN9Rs9YHoASJGldYkz+eJ3OGGCUg9VNUfrLF9XV/Cw9vlqmpPmT5g27lsKm3ElTlurQgG1goOGpqP/XUPjNTnPUv7Pun2MA7FPl646xq0h5Ga9v/9nnMYAmHxdkBsio0jcekd0BTJ3rQIp0nglcuGgClK0e2A+OP8rNDBl9rTxn/JnogqW2Y1po4t670zThM+9FiEDtjtplxpMoTf0O6Lm+C+DqBYgwZ8CPDhVR088Ap65OvpXU6UNR8+nQTpykJAuSN02DnjjABqdLTj8RNzKSF+c3ARM/cIhi+YVTMfU9FpHKP/6fR4OWxkjJnWdEya06bEHKvhY4vKGiByffdTmwp4KjmmT+hRgta8NE4oezse9Z6jKMcdW82rQdDboHW4jdXZsHmXo1PuYOpA8a4rK7xl6gCL7hclWnJanN5ZSpFO6E6f750ACRaTMz4eeaQPZG6rXuk0ApZYfZn9Bs=

Most of the parameters are self explanatory. Just a zoom on --scope

Scope can be:

  • strict
  • namespace-wide
  • cluster-wide

if it is strict, the secret name need to be the same of the secret name.

From the doc:

the secret must be sealed with exactly the same name and namespace. These attributes become part of the encrypted data and thus changing name and/or namespace would lead to “decryption error”

if namespace-wide the secret can be usede anywhere within the same namespace, and if cluster-wide it can used anywhwere in the cluster.

Manifests

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  annotations:
    sealedsecrets.bitnami.com/namespace-wide: "true"
  name: mysecret
spec:
  encryptedData:
    plop: AcAHvXzsACQV3lyNTiiIbJeFptmtIfJkTED9U1qvF4dtiz0fkCihP2PT8XEF+JbflJOwhH6T8VA5kmFl1Cjr5qS8ziRWzMc2YSp3dtz9FtjmEumotUJ3RZRv5gTsRWJZoP1nREnKGqQfFaauz3OovnNa2XLT8l9ESf0rqcBq7xMjegDOpqOgJAdHJ6EM0KGSlhle89aejfp3KJbQtO/2voHRB7YYo0bDY0LL4qoDDaxivZpwNJOaLHMeQ9DqX3H4RzLginsFh0K9JWqYaXFqhY8RAkNfW06YF//hq0a9Wl8cwtIa5kaSOYjIgpAvMQxV96hifLjuYRtV9hNTHrI4G5GsLbvaM2L5petgYJK8LM35rUW321do0HqcCN06ov6JNLKgDOlqC+Yfmt2iWXAx8bsu2i/Mq7pX7moDGk+aYj1kzBApqPrLNUY/cU9mIo2HVLlM0yij96w1/nKJlLVS5mmgT8mBOjnp+KBlQvC8TLkPAGdA0rULlh4QMhQWAKipJX1BfbiiF+2QOwa0lmQybg7BVHe9nPu3hGOiqxMT6VyO4OW9rZJDD8JGt12xa5jM/jvTNBf/73U0XpaP9dwX7VmjQ+shkBkwe/RW0CWyVVbAvX5H4KkHk88DWQBAvfC47cK+JcOqQX+16HtlmwkTBwqgptA8DENaC6/XoPzFdLlvO7deNG4gywoFe3t3+yIZp6zPBKH7QDw=
  template:
    metadata:
      annotations:
        sealedsecrets.bitnami.com/namespace-wide: "true"
      creationTimestamp: null
      name: mysecret
    type: Opaque

Integration with Kustomize

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - ../base
  - ./sealsecret.yaml

patches:
- target:
    kind: Deployment
    name: myapp
  patch: |-
    - op: add
      path: /spec/template/spec/containers/0/envFrom
      value:
        - secretRef:
            name: mysecret

Recovery

  • Need to build a yaml file with kustomize
  • store the output in a new file and run the following command
1

kubeseal < new-sealed.yaml --recovery-unseal --recovery-private-key ~/.ssh/kubeseal-priv.pem -o yaml