Introduction
Managing sensitive information like API keys, database credentials, and certificates in Kubernetes is a critical security challenge. Kubernetes Secrets, by default, are stored as base64-encoded strings within etcd. While this provides a basic level of obfuscation, it’s not true encryption. Anyone with access to etcd or the ability to read Secrets can easily decode them, leading to significant security vulnerabilities. This lack of encryption at rest for Secrets within your Git repositories, where your Kubernetes manifests often live, poses a serious risk, especially in GitOps workflows.
This is where Sealed Secrets comes to the rescue. Sealed Secrets, a project by Bitnami, provides a robust solution for encrypting your Secrets directly in your Git repository. It allows you to encrypt your sensitive data into a `SealedSecret` object, which is safe to commit to public or private Git repositories. Only the Sealed Secrets controller running in your Kubernetes cluster can decrypt these `SealedSecret` objects back into native Kubernetes `Secret` objects. This ensures that your sensitive data remains encrypted until it reaches its intended destination within your cluster, greatly enhancing your security posture.
TL;DR: Encrypt Kubernetes Secrets in Git with Sealed Secrets
Sealed Secrets allows you to safely store encrypted Kubernetes Secrets in Git. A controller in your cluster decrypts them at runtime. This guide covers installation, encryption, deployment, and best practices.
Key Commands:
- Install Sealed Secrets Controller:
kubectl apply -f https://github.com/bitnami/sealed-secrets/releases/download/v0.22.0/controller.yaml - Install `kubeseal` CLI:
# For macOS with Homebrew brew install kubeseal # For Linux (download binary) wget https://github.com/bitnami/sealed-secrets/releases/download/v0.22.0/kubeseal-0.22.0-linux-amd64.tar.gz tar -xvzf kubeseal-0.22.0-linux-amd64.tar.gz sudo install -m 755 kubeseal /usr/local/bin/kubeseal
