1.2 KiB
Sealed Secrets
Sealed Secrets is a tool for Kubernetes that allows administrators to
store secret data securely in manifest files. It is designed to solve
one of the most difficult problems with GitOps workflows: all Kubernetes
resources can be stored in YAML files in a Git repository, except for secrets.
Sealed Secrets works by encrypting the actual secret values using asymmetric
encryption; the kubeseal client encypts the data with the public key, and the
Sealed Secrets controller decrypts them using its private key. Administrators
only interact with SealedSecret objects, which can be committed to Git, shared
with other administrators, etc.
The Sealed Secrets controller can be installed easily:
kubectl apply -k sealed-secrets
To create new SealedSecret manifests, install the kubeseal command from
https://github.com/bitnami-labs/sealed-secrets/releases
kubectl --dry-run=client create secret generic \
-o yaml \
-n home-assistant mosquitto \
--from-file passwd=home-assistant/mosquitto.passwd \
| kubeseal -o yaml \
> home-assistant/secrets.yaml