Aller au contenu

Encrypting Secret⚓︎

This guide explains how to use Bitnami Sealed Secrets to encrypt Kubernetes Secret manifests for secure storage in Git repositories.

In this guide, you'll learn how to use the Bitnami Sealed Secrets controller to safely encrypt a Kubernetes Secret manifest. Sealed Secrets allow you to store encrypted secrets in Git repositories without exposing sensitive data.

Prerequisites⚓︎

  • A running Kubernetes cluster
  • kubectl configured to communicate with your cluster
  • Sealed Secrets controller deployed (e.g., via Helm or kubectl apply)
  • kubeseal CLI installed locally

Note

Ensure the kubeseal client version matches your controller version. Mismatched versions can lead to encryption or decryption errors.

Step 1: Prepare Your Secret Manifest⚓︎

Create a file named secret.yaml containing your sensitive data in Kubernetes Secret format:

1
2
3
4
5
6
7
8
apiVersion: v1
kind: Secret
metadata:
  name: database
  namespace: default
type: Opaque
data:
  DB_PASSWORD: cGFzc3dvcmQ=  # base64-encoded string

Step 2: Encrypt the Secret⚓︎

Run the following command to generate a SealedSecret resource from your secret.yaml. The encrypted output is written to sealed-secret.yaml:

kubeseal \
  --controller-name my-release-sealed-secrets \
  --controller-namespace kube-system \
  --format yaml \
  < secret.yaml \
  > sealed-secret.yaml

Flag Reference⚓︎

Flag Description Example
--controller-name Name of the Sealed Secrets controller release my-release-sealed-secrets
--controller-namespace Namespace where the controller is running kube-system
--format Output format (yaml or json) yaml
< secret.yaml Reads your original Kubernetes Secret manifest
> sealed-secret.yaml Writes the encrypted SealedSecret to a new file

Step 3: Review the SealedSecret⚓︎

Open sealed-secret.yaml to verify its contents. It should look similar to this:

1
2
3
4
5
6
7
8
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: database
  namespace: default
spec:
  encryptedData:
    DB_PASSWORD: AgAKG7A3zkILGotJJq+...Tb

The encryptedData field contains the fully encrypted payload. Since this data is encrypted with the controller’s public key, it’s safe to commit to version control.

Warning

Do not include the original secret.yaml in your Git repository. Only commit the generated sealed-secret.yaml.

Next Steps⚓︎

  1. Apply the SealedSecret to your cluster: 
    kubectl apply -f sealed-secret.yaml
  2. Verify that the controller has created the unsealed Secret: 
    kubectl get secret database -n default -o yaml
  3. Reference the Secret in your Deployment or Pod specs as usual.