Kubernetes - Container-Orchestration System
Sealed Secrets Kubernetes
Anton Putra
January 24, 2021
1 min

  • Install kubeseal. Follow instructions on GitHub releases page.

  • Create 01-kubeseal.yaml file. You can get original files from GitHub releases page.

  • Apply created file using kubectl - kubectl apply -f k8s/01-kubeseal.yaml

  • Verify that the Sealed Secret controller is successfully initialized and generated a key pair.

  • Check logs kubectl logs --tail=-1 -f -l name=sealed-secrets-controller -n kube-system

  • Check tls secret kubectl get secrets -n kube-system

  • Get content of the secret kubectl get secrets sealed-secrets-<id> -n kube-system -o yaml

  • Decode public key using echo and base64 tools echo <string> | base64 -d

  • Compare certificate with the one in the log

  • Create namespace for sample application 02-namespace.yaml

  • Apply namespace kubectl apply -f k8s/02-namespace.yaml

  • Encode token to base64 echo -n '$3#*2134asd' | base64

  • Create Kubernetes secret 03-secret.yaml

  • Fetch Sealed Secret certificate kubeseal --fetch-cert > cert.pem. Add --controller-namespace kube-system if it’s in different namespace.

  • Optionally, decode certificate openssl x509 -in cert.pem -text -noout

  • These are the possible scopes:

    • strict (default): the secret must be sealed with exactly the same name and namespace.
    • namespace-wide: you can freely rename the sealed secret within a given namespace.
    • cluster-wide: the secret can be unsealed in any namespace and can be given any name.
  • Seal Kuberentes secret kubeseal < k8s/03-secret.yaml --cert cert.pem -o yaml > k8s/04-sealedsecret.yaml. Additionally add --scope strict.

  • Open Sealed Secret controller logs kubectl logs --tail=-1 -f -l name=sealed-secrets-controller -n kube-system

  • Apply Sealed secret kubectl apply -f k8s/04-sealedsecret.yaml

  • Check the secrets kubectl get secrets -n staging

  • Get secret kubectl get secrets credentials -o yaml -n staging or kubectl get secrets credentials -o jsonpath='{.data}' -n staging

  • Decode secret - echo "JDMjKjIxMzRhc2QK" | base64 -d

  • Pipe to base64 kubectl get secrets credentials -o jsonpath='{.data}' -n staging | jq -r '.token' | base64 -d. Like the video :)

  • Create deployment 05-deployment.yaml.

  • Apply flask app kubectl apply -f k8s/05-deployment.yaml

  • Check the status kubectl get pods -n staging

  • Check logs kubectl logs -l app=flask -n staging



Anton Putra

DevOps Engineer

Big Data | DevOps engineer with hands-on experience in building large, scalable batch and real-time applications with Apache Spark, Hive, Flink on top of Kubernetes; designing and developing CI/CD pipelines.



Social Media


Related Posts

Install MongoDB on Kubernetes
How to Install MongoDB on Kubernetes?
March 07, 2021
1 min
© 2021, All Rights Reserved.

Quick Links

About UsContact Us

Social Media