Sealed Secrets

Create a Secret

Use following command to create a new secret. Make sure to use your corresponding name and namespace.

kubectl create secret generic my-secret-name --from-literal=PASSWORD=p4ssw0rd --namespace=ambimax-staging --output=yaml --dry-run=client > my-secret-name.yaml

You should get a file like this:

apiVersion: <VERSION>
data:
  PASSWORD: cDRzc3cwcmQ=
  <SECRET KEY>: <SECRET VALUE> (base64)
kind: Secret
metadata:
  creationTimestamp: null
  name: <NAME>
  namespace: <NAMESPACE>

You can add more values manually, just make sure to encode them with base64.

To encrypt the secrets use the kubeseal command:

cat my-secret-name.yaml | kubeseal -o yaml > ./my-sealed-secret-name.yaml

Now you should get a file looking like this.

kind: SealedSecret
metadata:
  creationTimestamp: null
  name: <NAME>
  namespace: <NAMESPACE>
spec:
  encryptedData:
    PASSWORD: AgCES0rYq2pYpLTDg4bbhpJvTVTFhBxKIJhboSF61u+S+atFBvMk5DcOQ43AdrfKMct3pq0kG9RInLBbaVnAQ+kCuUTXPh4aPP0SmyIuXqXqP0IXV+u7EgpWaeNkWAMZ+xlMUOKo66V6+vqa+AmMOgbZktc7R3AScuAHknE/GUcoDdISaFXJs+2beUnE78iJ/hVBwDkwxf9mUdjbfiOmVyHjYOQfPvAombKBV3QGv/2DWXbP0bRuLeuD6bkxYMh7jITJIvckzzmjW/Hu3qlDb2oZC7CezdPtkl59m4JwBfvglbs/LXlgM06Tcz2Sa1cn9ynPMJUjUHZFYxyOZIH18mm8y79bHD8SYh9yIPq212I0fUblSWCdp9l5WktiUz8HrAp4YBM3jD3Jn6ppof9O8LeRBucQ0Ky89QA4bV+grh3bqkj6V1mOXaMQsitxlFSwXsZLE3ix3X+6iRpT3xqCcE3+A++OLwlIgrazCx+qV8+fstKUo6DeF4nimrAQqRsX3aLXX57K3PKj5SKzQrtGWLGEoikZuCnOA4IZFNeYLc8wKMyenRrNzfNiBYS+lAiKnvhrNVnHVOgn5vmoVzS3/WLa8o+o+Qdi2W0TCvRr1pHdyCQKVRS8Iu28fHcdfv2dLGFeDWT68cPCwyPLDtuPUGQhOqNE8rJhwEFcTHRxAm5ytpMafVo9vm+UPqnDFZHLvG17NL+Bp9k3hA==
    <SECRET KEY>: <ENCRYPTED SECRET VALUE>
  template:
    metadata:
      creationTimestamp: null
      name: <NAME>
      namespace: <NAMESPACE>

Update a secret

To update a secret create new one with exactly the same name/namespace. After sealing it, just copy over the encryptedData.

To get your new secrets to the container, make sure to sync the secrets app in ArgoCD before restarting it.