Sealed Secrets ¶
The sealed-secrets controller will automatically generate a public+private keypair for each cluster that will be used to encrypt and decrypt secrets.
After any new cluster is provisioned, the generated keypair should be backed up externally (i.e. to a shared VaultWarden/BitWarden collection). With the keypair backed up, secrets can be decrypted locally or restored to a new cluster in the future.
Back up generated keys ¶
From the sealed-secrets README.md:
kubectl get secret \
-n sealed-secrets \
-l sealedsecrets.bitnami.com/sealed-secrets-key \
-o yaml \
> cluster-sealed-secrets-master.key
Sensitive data!
Be sure to keep this file secure and delete from your working directory after uploading it to a secure credentials vault for backup.
Do not commit this file to source control
Enable ingress ¶
The sealed-secrets helm chart includes an ingress that can be configured to provide a public URL to the cluster’s public certificate that can be used for local kubeseal client operations.
To enable the ingress, configure and deploy sealed-secrets/release-values.yaml:
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- sealed-secrets.sandbox.k8s.brigade.cloud
tls:
- secretName: sealed-secrets-tls
hosts:
- sealed-secrets.sandbox.k8s.brigade.cloud
Once deployed, local kubeseal clients can be configured to use it by setting the SEALED_SECRETS_CERT environment variable:
export SEALED_SECRETS_CERT=https://sealed-secrets.sandbox.k8s.brigade.cloud/v1/cert.pem