Aller au contenu

Applying Sealed Secret in Kubernetes Cluster⚓︎

Learn to encrypt a Kubernetes Secret with Bitnami’s Sealed Secrets and apply it to your cluster while ensuring sensitive data remains secure.

In this guide, you’ll learn how to encrypt a Kubernetes Secret manifest with Bitnami’s Sealed Secrets, apply it to your cluster, and verify that it’s been decrypted back into a standard Secret. This workflow ensures sensitive data remains encrypted at rest and in version control.

Prerequisites⚓︎

  • A running Kubernetes cluster
  • kubeseal CLI installed
  • Bitnami Sealed Secrets controller deployed in the kube-system namespace
  • sealed-secret.yaml containing your Secret definition

1. Encrypt and Apply the SealedSecret⚓︎

First, seal (encrypt) your sealed-secret.yaml and then apply it:

kubeseal \
  --controller-name my-release-sealed-secrets \
  --controller-namespace kube-system \
  --format yaml \
  < sealed-secret.yaml \
  | tee sealed-secret.yaml

kubectl apply -f sealed-secret.yaml

You should see a confirmation:

sealedsecret.bitnami.com/database configured

Note

Make sure the --controller-name and --controller-namespace match your Sealed Secrets controller deployment.

2. Verify the Decrypted Kubernetes Secret⚓︎

Once the Sealed Secrets operator processes your SealedSecret, it will create a standard Secret. List all Secrets to confirm:

kubectl get secret
NAME TYPE DATA AGE
database Opaque 1 13h
sealed-secrets-keymnn78 kubernetes.io/tls 2 14h

3. Inspect the Secret Manifest⚓︎

To view the full YAML of the decrypted Secret:

kubectl get secret database -o yaml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
apiVersion: v1
data:
  DB_PASSWORD: cGFzc3dvcmljMw==
kind: Secret
metadata:
  creationTimestamp: "2023-09-13T02:48:08Z"
  name: database
  namespace: default
  ownerReferences:
  - apiVersion: bitnami.com/v1alpha1
    controller: true
    kind: SealedSecret
    name: database
    uid: db083572-67f4-4293-ada7-a9a689bd04ba
  resourceVersion: "1305"
  uid: ad0fc95c-c026-4c62-bfa0-01bf7923f1a2
type: Opaque

4. Decode the Secret Value⚓︎

Retrieve and decode your secret value directly:

kubectl get secret database -o jsonpath="{.data.DB_PASSWORD}" | base64 -d

password123

Note

All data in a Kubernetes Secret is base64-encoded. Use -o jsonpath and base64 -d to decode sensitive values.

5. Monitor the Sealed Secrets Resource⚓︎

You can also inspect the status of your SealedSecret:

kubectl get sealedsecret

NAME      STATUS   SYNCED   AGE
database  True     True     13h

kubectl describe sealedsecret database

Name:         database
Namespace:    default
API Version:  bitnami.com/v1alpha1
Kind:         SealedSecret
Status:
  ObservedGeneration: 1
  Conditions:
  - Type: Synced
    Status: True
...

Ensure STATUS: True and SYNCED: True to confirm the operator successfully decrypted and created the Secret.