Skip to content

Creating Sealed Secrets#

Sealed secrets is a Kubernetes controller written by Bitnami that is used to encrypt secrets in your code repositories. The sealed secret will be automatically synced from your manifest, decrypted in the cluster, and an unencrypted secret created in your tenant namespace.

Kubeseal#

Kubeseal is a CLI tool to create sealed secrets. Follow the Kubeseal installation instructions if needed.

Key/Value Pair(s)#

  1. Run this command to create a manifest with the unencrypted secret, specifying as many key/value pairs as you need. 

    kubectl create secret generic --dry-run=client <secret_name> \
  --from-literal=key1=secret1 \
  --from-literal=key2=secret2 \
  -o yaml > secret.yaml

  2. Run the following command to create the sealed secret manifest, replacing <tier> (dvlp, pprd, prod) and <location> (aws, op) with the proper values and <namespace> with your tenant namespace: 

    kubeseal --cert=https://sealed-secrets.<tier>.<location>.itcp.cloud.vt.edu/v1/cert.pem \
  -f secret.yaml -w sealed-secret.yaml --namespace <namespace>

  3. Add the manifest sealed-secret.yaml to your tenant repository. Once synced, the sealed secret will be decrypted and stored as a normal Kubernetes secret.

Image Registry#

Kubernetes secrets are a different type for image registries. Here's how you would create a sealed secret for an image registry credential.

  1. You need to get credentials for the registry you want to access. For GitLab, this can be a Project Access Token or Deploy Key.

  2. Run this command to create a manifest with the unencrypted secret, replacing <secret_name>, <server_url>, <username>, and <password> with your own data. Most VT users will use code.vt.edu:5005 or harbor.platform.it.vt.edu for the server URL. 

    kubectl create secret docker-registry --dry-run=client <secret_name> \
  --docker-server=<server_url> \
  --docker-username=<username> \
  --docker-password=<password> -o yaml > registry-secret.yaml

  3. Run the following command to create the sealed secret manifest, replacing <tier> (dvlp, pprd, prod) and <location> (aws, op) with the proper values and <namespace> with your tenant namespace: 

    kubeseal --cert=https://sealed-secrets.<tier>.<location>.itcp.cloud.vt.edu/v1/cert.pem \
  -f registry-secret.yaml -w registry-sealed-secret.yaml --namespace <namespace>

  4. Add the manifest sealed-secret.yaml to your tenant repository. Once synced, the sealed secret will be decrypted and stored as a normal Kubernetes secret.