This is a practical implementation of the previous blog: Introduction to Sealed Secrets in Kubernetes.
In this blog, we will create secrets in Kubernetes with the help of sealed secrets.
Pre-requisites:
- controlplane with access to a k8s cluster
Install kubeseal
Kubeseal is a CLI tool that seals a secret with the help of the controller’s public key and creates a CRD for the sealed secret.
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.2/kubeseal-0.19.2-linux-amd64.tar.gz
tar -xvzf kubeseal-0.19.2-linux-amd64.tar.gz
install -m 755 kubeseal /usr/local/bin/kubeseal
Install Sealed Secret Controller on Kubernetes
Sealed secret controller will create a key pair consisting of a private and a public key to encrypt and decrypt a secret.
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.2/controller.yaml
Check the logs of the controller
It will search for a secret with the label sealedsecrets.bitnami.com/sealed-secrets-key in its namespace. If it does not get one, it will create a new one in its namespace and will print the public key portion of the key pair to its output logs.
Check the secret created by the controller to hold the private key
kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml
This will display the tls.crt and tls.key.
Create secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: sealed-secret
namespace: test
data:
DB_PASSWORD: ZGJwYXNzCg==
Create Sealed Secret via kubeseal
cat secret.yaml | kubeseal \
--controller-namespace kube-system \
--controller-name sealed-secrets-controller \
--format yaml \
> sealed-secret.yaml
Apply the sealed secret
kubectl create ns test
kubectl apply -f sealed-secret.yaml
Check if the sealed secret is created or not
kubectl get sealedsecret -n test
-o yaml
Check if the secret is created or not
kubectl get secret sealed-secret -n test -o yaml
Sealed secrets manage the secrets created by the controller
If we delete the sealedsecret, the corresponding secret will also be deleted
Disaster Recovery for sealed secrets
Without the private key that is managed by the controller, there is no way to decrypt the encrypted data within a SealedSecret.
- Create a backup of the private key and copy the content to a master.yaml file
kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > master.yaml
- Delete the secret and sealed secret created previously
kubectl delete secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key
- Delete the controllers deployment from the cluster
kubectl delete -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.2/controller.yaml
- Apply the secret containing the private key.
kubectl apply -f master.yaml
- Deploy the controller again
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.2/controller.yaml - Check the logs of the controller
Controller will fetch the existing secret before trying to create a new key-pair. If it finds the key-pair, it wont create a new one.
As it depicts, the controller took the private key present in the secret called sealed-secrets-key9b5qd.
Hey, readers! Thank you for sticking up till the end. If you have any questions/feedbacks regarding this blog, I am reachable at vidushi.bansal@knoldus.com. You can find more of my blogs here.