You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This was a little tricky to figure out but, there is a problem with managing secrets in gitub. We don't want to store them in base64 encoded strings as that would defeat the purpose of having secrets.
Problem: "I can manage all my K8s config in git, except Secrets."
Solution: Encrypt your Secret into a SealedSecret, which is safe to store - even inside a public repository. The SealedSecret can be decrypted only by the controller running in the target cluster and nobody else (not even the original author) is able to obtain the original Secret from the SealedSecret.
# create a secret
$ >> echo 'super secret message' > secretmessage.txt
$ >> oc create secret secret-message
$ >> oc create secret generic secret-message --from-file secretmessage.txt
secret/secret-message created
# export secret and then delete it. We do this so we don't have to write the yaml ourselves
$ >> oc get secret/secret-message -o yaml > secret-message.yaml
$ >> oc delete secret/secret-message
secret "secret-message" deleted
# now seal the exported secret and and create it inside of the cluster.
$ >> kubeseal --controller-name sealed-secrets-controller --controller-namespace sealed-secrets --scope strict < secret-message.yaml > sealed-secret-message.json
$ >> oc create -f sealed-secret-message.json
sealedsecret.bitnami.com/sealed-secret-message created
Now we just verify the sealed secrets and the secret managed by the sealed-secret-controller is deployed.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
This was a little tricky to figure out but, there is a problem with managing secrets in gitub. We don't want to store them in base64 encoded strings as that would defeat the purpose of having secrets.
Problem: "I can manage all my K8s config in git, except Secrets."
Solution: Encrypt your Secret into a SealedSecret, which is safe to store - even inside a public repository. The SealedSecret can be decrypted only by the controller running in the target cluster and nobody else (not even the original author) is able to obtain the original Secret from the SealedSecret.
Basic operation
Now we just verify the sealed secrets and the secret managed by the
sealed-secret-controlleris deployed.Beta Was this translation helpful? Give feedback.
All reactions