Sealed Secrets Guide
Bitnami Sealed Secrets: Encrypting Kubernetes Secrets
Bitnami Sealed Secrets is a powerful Kubernetes controller and tool designed for one-way encrypted Secrets. It allows you to securely manage sensitive information within your Kubernetes clusters by encrypting secrets before they are committed to your Git repository.
This guide will walk you through the essential steps of installing and using Sealed Secrets to enhance your Kubernetes security posture.
Prerequisites for Sealed Secrets
Before you begin, ensure you have the following tools installed and configured:
- kubectl: The Kubernetes command-line tool.
- kubeseal: The command-line client for encrypting secrets.
Installing Kubeseal Client
To install the kubeseal client, download the latest version from the official releases page. For Linux systems, you can use the following commands:
curl -sSL https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.1/kubeseal-0.19.1-linux-amd64.tar.gz | tar -xz
sudo install -o root -g root -m 0755 kubeseal /usr/local/bin/kubeseal
Creating a Sealed Secret
You can create sealed secrets efficiently, often directly from your terminal.
Creating Secrets from Standard Input (stdin)
First, create a standard Kubernetes secret. This example creates a secret named app-secret with a value for foo:
echo -n pass123 | kubectl create secret generic app-secret --dry-run=client --from-file=foo=/dev/stdin -o yaml > app-secret.yaml
Next, encrypt this secret using kubeseal. Ensure you specify the correct --controller-name and --controller-namespace, which are typically set during the Sealed Secrets controller installation:
kubeseal --controller-name=sealed-secrets --controller-namespace=kube-system --format yaml < app-secret.yaml > app-sealedsecret.yaml
Finally, apply the encrypted sealed secret to your Kubernetes cluster:
kubectl create -f app-sealedsecret.yaml
Managing the Master Key
The master key is crucial for decrypting your sealed secrets. It's recommended to back it up securely.
Backing Up the Master Key
You can retrieve the master key secret from the kube-system namespace:
kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > sealedsecret-master.key
Store this sealedsecret-master.key file in a secure location, such as a password manager or a dedicated secrets management system.
Restoring the Master Key
If you need to restore the master key (e.g., after a cluster rebuild), you can re-apply the saved secret and restart the Sealed Secrets controller pod:
kubectl apply -f sealedsecret-master.key
kubectl delete pod -n kube-system -l name=sealed-secrets-controller
This process ensures that your encrypted secrets remain secure and manageable within your Kubernetes environment.