The cluster has a sealed-secrets controller.
SealedSecretsare encrypted and safe to store in git- use
kubesealto generateSealedSecretyaml files - controller decrypts them and creates
Secretobjects
Benefits of this approach are:
- improved disaster recovery as secrets are recovered from git repo
- devs can update and add secrets without needing access to the cluster
This approach doesn't let us share secrets with devs. Such a scenario is probably better served with Vault.
- install
kubesealclient from Github Releases Page - use
kubeseal-public.pemto encrypt a secret (see docs) - see k8s docs for ways to create a
Secretthrough cli - see k8 docs for ways to create a
Secretthrough configyamlfiles
kubeseal \
--cert ./kubeseal-public.pem \
--format=yaml <your-secret.yaml > your-secret-as-a-sealedsecret.yaml
NOTE: You can't change the name or namespace field of a SealedSecret yaml file after it has been created as these values are used to to encrypt the content. If you change these decryption will fail.
The master/private key is backed up in it-admin.
The recovery process is to replace the auto-generated private key with the key from backup and restart the controller:
kubectl replace secret -n infra sealed-secrets-key -f sealed-secrets-key.yaml
kubectl delete pod -n infra -l app=sealed-secrets