Using sealed secrets in Kubernetes

European handicapped girl in vr glasses on sofa at home. Healing technology, robotic limb.
Reading Time: 3 minutes

This is a practical implementation of the previous blog: Introduction to Sealed Secrets in Kubernetes.
In this blog, we will create secrets in Kubernetes with the help of sealed secrets.

Pre-requisites:

  1. controlplane with access to a k8s cluster

Install kubeseal

Kubeseal is a CLI tool that seals a secret with the help of the controller’s public key and creates a CRD for the sealed secret.

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.2/kubeseal-0.19.2-linux-amd64.tar.gz

tar -xvzf kubeseal-0.19.2-linux-amd64.tar.gz

install -m 755 kubeseal /usr/local/bin/kubeseal

Install Sealed Secret Controller on Kubernetes

Sealed secret controller will create a key pair consisting of a private and a public key to encrypt and decrypt a secret.

kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.2/controller.yaml

Check the logs of the controller

It will search for a secret with the label sealedsecrets.bitnami.com/sealed-secrets-key in its namespace. If it does not get one, it will create a new one in its namespace and will print the public key portion of the key pair to its output logs.

Check the secret created by the controller to hold the private key

kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml

This will display the tls.crt and tls.key.

Create secret.yaml

apiVersion: v1
kind: Secret
metadata:
name: sealed-secret
namespace: test
data:
DB_PASSWORD: ZGJwYXNzCg==

Create Sealed Secret via kubeseal

cat secret.yaml | kubeseal \
--controller-namespace kube-system \
--controller-name sealed-secrets-controller \
--format yaml \
> sealed-secret.yaml

Apply the sealed secret

kubectl create ns test

kubectl apply -f sealed-secret.yaml

Check if the sealed secret is created or not

kubectl get sealedsecret -n test -o yaml

Check if the secret is created or not

kubectl get secret sealed-secret -n test -o yaml

Sealed secrets manage the secrets created by the controller

If we delete the sealedsecret, the corresponding secret will also be deleted

Disaster Recovery for sealed secrets

Without the private key that is managed by the controller, there is no way to decrypt the encrypted data within a SealedSecret.

As it depicts, the controller took the private key present in the secret called sealed-secrets-key9b5qd.


Hey, readers! Thank you for sticking up till the end. If you have any questions/feedbacks regarding this blog, I am reachable at vidushi.bansal@knoldus.com. You can find more of my blogs here.

Written by 

Vidushi Bansal is a Software Consultant [Devops] at Knoldus Inc. She is passionate about learning and exploring new technologies.