Skip to content

Sealed Secrets

Prerequisites

Configure public certificate

Place the public URL for the target cluster’s sealed secret’s certificate into the SEALED_SECRETS_CERT environment variable:

export SEALED_SECRETS_CERT=https://sealed-secrets.mycluster.k8s.example.net/v1/cert.pem

Encrypt secrets to cluster repository

Create a Kubernetes Secret manifest containing one or more key+value pair, and then use the kubeseal client to encrypt it into a SealedSecret manifest. The target namespace must be provided and will become part of the encryption such that the secret can only be loaded into that namespace. Commit the sealed secret to the cluster’s repository under the path ${project_namespace}.secrets/ where it will be added to the cluster’s deployed manifests:

kubeseal \
    --namespace "my-project" \
    -f my-secret.yaml \
    -w ~/Repositories/my-cluster/my-project.secrets/my-secret.yaml