Recovering public key used by the controller
❯ kubeseal \
--controller-name=ss-app-sealed-secrets \
--controller-namespace=sealed-secrets \
--fetch-cert > publickey.pem
Recovering the private key
❯ kubectl get secrets acme-keys -n sealed-secrets -o json | jq ".data | map_values(@base64d)"
{
"tls.crt": "-----BEGIN CERTIFICATE-----\nMIIE3DCCAsQCCQCgdNszn/dUUTANBgkqhkiG9w0BAQsFADAwMRYwFA...\n-----END CERTIFICATE-----\n",
"tls.key": "-----BEGIN PRIVATE KEY-----\nMIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDAFYgUZStmW6Zo\n...\n-----END PRIVATE KEY-----\n"
}
Re-encrypting sealed-secret files when keys change (rotated)
❯ kubeseal --controller-name=ss-app-sealed-secrets --controller-namespace=sealed-secrets --re-encrypt -o yaml < ss.yaml > new-ss.yaml
Useful annotations
-
sealedsecrets.bitnami.com/managed: "true"
to make a kubernetes secret be managed by Bitnami SS controller
-
sealedsecrets.bitnami.com/namespace-wide: "true"
to make the scope to namespace-wide
-
sealedsecrets.bitnami.com/cluster-wide: "true"
to make the scope to cluster-wide
FAQ
Top comments (0)