32 lines
1.2 KiB
Markdown
32 lines
1.2 KiB
Markdown
# Sealed Secrets
|
|
|
|
[Sealed Secrets] is a tool for Kubernetes that allows administrators to
|
|
store secret data securely in manifest files. It is designed to solve
|
|
one of the most difficult problems with GitOps workflows: all Kubernetes
|
|
resources can be stored in YAML files in a Git repository, except for secrets.
|
|
*Sealed Secrets* works by encrypting the actual secret values using asymmetric
|
|
encryption; the `kubeseal` client encypts the data with the public key, and the
|
|
Sealed Secrets controller decrypts them using its private key. Administrators
|
|
only interact with SealedSecret objects, which can be committed to Git, shared
|
|
with other administrators, etc.
|
|
|
|
The Sealed Secrets controller can be installed easily:
|
|
|
|
```sh
|
|
kubectl apply -k sealed-secrets
|
|
```
|
|
|
|
To create new SealedSecret manifests, install the `kubeseal` command from
|
|
https://github.com/bitnami-labs/sealed-secrets/releases
|
|
|
|
```sh
|
|
kubectl --dry-run=client create secret generic \
|
|
-o yaml \
|
|
-n home-assistant mosquitto \
|
|
--from-file passwd=home-assistant/mosquitto.passwd \
|
|
| kubeseal -o yaml \
|
|
> home-assistant/secrets.yaml
|
|
```
|
|
|
|
[Sealed Secrets]: https://github.com/bitnami-labs/sealed-secrets#readme
|