Sealed Secrets allow for Secrets to be stored along with other Manifests, even in public repositories. Sealed Secrets are encrypted & can only be decrypted by the Sealed Secrets Controller.
Architecture
A regular secret can be encrypted with a public key held by the Sealed Secrets Controller. This returns a Sealed Secret, which can then be applied to the cluster again, where it is converted back into a regular secret.
flowchart LR
secret([Secret]) --> ssc
sealsecret([Sealed Secret])
subgraph cluster[Kubernetes Cluster]
ssc(Sealed Secrets Controller)
subgraph Namespace
direction TB
sealsecret2([Sealed Secret]) -.->|Syncs| secret2([Secret])
end
end
ssc -->|Seals| sealsecret
ssc -.->|Unseals| sealsecret2
sealsecret -->|Apply| sealsecret2
Usage
Install the kubeseal cli, either using brew install kubeseal or downloading it from the releases.
Take a regular secret such as
apiVersion: v1
kind: Secret
metadata:
name: examplesecret
type: Opaque
data:
password: eHh4& run kubeseal against it kubeseal < secret.yaml -o yaml > sealed.yaml
This results in a SealedSecret, which can be stored anywhere & is turned back into the original secret once applied to the cluster.
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: examplesecret
namespace: tenant
spec:
encryptedData:
password: encrypted
template:
metadata:
creationTimestamp: null
name: examplesecret
namespace: tenant
type: Opaque