Sealed Secrets

Sealed Secrets encrypts Kubernetes Secrets so you can store them in git without any worries.

Details

Usually the content of Kubernetes Secret definitions is unencrypted which means it is not recommended to store them alongside other Kubernetes definitions in version control or anywhere that is not a secured environment. This adds manual and error-prone steps to your application deployment. As a solution to this, we are running a controller that will take care of decrypting your Sealed Secrets and turning them into normal Secret objects.

Availability

Sealed Secrets are available as standard with nine Managed GKE.

Usage

The easiest way to create a Sealed Secret is to use our generator on runway.

1. Generate a new Sealed Secret by filling out the form in the Secrets Generator Tab.

2. Download the Sealed Secret.

3. Apply it via kubectl.

   $ kubectl apply -f ~/Downloads/cloudsql-prod.yaml
   sealedsecret.bitnami.com/cloudsql-prod created

4. Read back the Secret resource that the controller created for us.

   $ kubectl get secret cloudsql-prod --template={{.data.password}} | base64 -d
   s#g{eJJ#O)p~VCHVNt26*WGD3

To delete the Secret again, you can just delete the Sealed Secret and the controller will also remove the Secret object.

$ kubectl delete sealedsecret cloudsql-prod
sealedsecret.bitnami.com "cloudsql-prod" deleted

Note that in a production scenario we do not recommend you to apply the Sealed Secret locally with kubectl, but instead store it in your configuration repository and let Argo CD take care of creating it.

Documentation and Links

• Sealed Secrets Documentation