-
Notifications
You must be signed in to change notification settings - Fork 0
/
045bd6f5.8f7c5c7e.js
1 lines (1 loc) · 6.93 KB
/
045bd6f5.8f7c5c7e.js
1
(window.webpackJsonp=window.webpackJsonp||[]).push([[5],{135:function(e,t,r){"use strict";r.r(t),r.d(t,"frontMatter",(function(){return o})),r.d(t,"metadata",(function(){return l})),r.d(t,"rightToc",(function(){return s})),r.d(t,"default",(function(){return b}));var n=r(2),c=r(9),a=(r(0),r(173)),o={id:"encrypt_secrets",title:"Encrypt Secrets"},l={id:"encrypt_secrets",title:"Encrypt Secrets",description:"!Sealed Secrets",source:"@site/docs/encryption.md",permalink:"/docs/encrypt_secrets",editUrl:"https://github.com/raspbernetes/docs/edit/master/website/docs/encryption.md",sidebar:"someSidebar",previous:{title:"Remote Kubectl Access",permalink:"/docs/remote_kubectl_access"},next:{title:"Boot Raspberry Pi From USB SSD",permalink:"/docs/usb_booting"}},s=[{value:"Prerequisites",id:"prerequisites",children:[{value:"Homebrew",id:"homebrew",children:[]},{value:"Installation from source",id:"installation-from-source",children:[]}]},{value:"Public Key",id:"public-key",children:[]},{value:"Encrypt a Secret",id:"encrypt-a-secret",children:[]}],i={rightToc:s};function b(e){var t=e.components,r=Object(c.a)(e,["components"]);return Object(a.b)("wrapper",Object(n.a)({},i,r,{components:t,mdxType:"MDXLayout"}),Object(a.b)("p",null,Object(a.b)("img",Object(n.a)({parentName:"p"},{src:"https://github.com/raspbernetes/raspbernetes.github.io/raw/master/img/flux-secrets.png",alt:"Sealed Secrets",title:"Sealed Secrets"}))),Object(a.b)("p",null,"Sealed Secrets allows you to encrypt your secrets and safely store them in a ",Object(a.b)("inlineCode",{parentName:"p"},"Git")," repository, regardless of whether it's public or private."),Object(a.b)("h2",{id:"prerequisites"},"Prerequisites"),Object(a.b)("p",null,"You will need to download the ",Object(a.b)("inlineCode",{parentName:"p"},"kubeseal")," CLI ."),Object(a.b)("h3",{id:"homebrew"},"Homebrew"),Object(a.b)("p",null,"The kubeseal client is also available on homebrew:"),Object(a.b)("pre",null,Object(a.b)("code",Object(n.a)({parentName:"pre"},{className:"language-bash"}),"$ brew install kubeseal\n")),Object(a.b)("h3",{id:"installation-from-source"},"Installation from source"),Object(a.b)("p",null,"If you just want the latest client tool, and compile it directly from source code instructions can be found ",Object(a.b)("a",Object(n.a)({parentName:"p"},{href:"https://github.com/bitnami-labs/sealed-secrets/blob/master/README.md#installation-from-source"}),"here")),Object(a.b)("h2",{id:"public-key"},"Public Key"),Object(a.b)("p",null,"To be able to encrypt secrets you need to have access to the public cert that the Sealed Secrets operator has created."),Object(a.b)("p",null,"You can download the public cert using the following command:"),Object(a.b)("pre",null,Object(a.b)("code",Object(n.a)({parentName:"pre"},{className:"language-bash"}),"curl -v -o $HOME/sealed-secret-public-cert.pem https://sealed-secrets.raspbernetes.com/v1/cert.pem\n")),Object(a.b)("p",null,"To simplify using the public cert with the ",Object(a.b)("inlineCode",{parentName:"p"},"kubeseal")," CLI we can make an alias"),Object(a.b)("pre",null,Object(a.b)("code",Object(n.a)({parentName:"pre"},{className:"language-bash"}),"alias kubeseal='kubeseal --cert $HOME/sealed-secret-public-cert.pem --format yaml'\n")),Object(a.b)("p",null," ",Object(a.b)("em",{parentName:"p"},"Note: Default format is json so we change it to yaml, however, if you prefer json then don't add the ",Object(a.b)("inlineCode",{parentName:"em"},"--format")," in your alias")),Object(a.b)("h2",{id:"encrypt-a-secret"},"Encrypt a Secret"),Object(a.b)("blockquote",null,Object(a.b)("p",{parentName:"blockquote"},"This assumes you already have a Kubenetes secret resource that you wish to encrypt into a Sealed Secret and store into source control.")),Object(a.b)("p",null,"Encrypt your Kubernetes secret with the ",Object(a.b)("inlineCode",{parentName:"p"},"kubeseal")," CLI using the following command:"),Object(a.b)("pre",null,Object(a.b)("code",Object(n.a)({parentName:"pre"},{className:"language-bash"}),"$ kubeseal < secret.yaml > secret.encrypted.yaml\n")),Object(a.b)("p",null,"You can now commit ",Object(a.b)("inlineCode",{parentName:"p"},"secret.encrypted.yaml")," into source control, remember to remove the unencrypted secret."),Object(a.b)("p",null,"Once the new encrypted secret is deployed into the Kubernetes cluster the Sealed Secrets operator will decrypt the secret and store it in-cluster as a Kubernetes secret."),Object(a.b)("p",null,"Securing who can view the Kubernetes secrets is part of your defining a RBAC model, and not the role of Sealed Secrets."),Object(a.b)("p",null,Object(a.b)("strong",{parentName:"p"},"IMPORTANT"),": Once a secret is encrypted you cannot change the name or namespace fields of that Sealed Secret, doing so will invalidate the encryption. To change these fields you will need to re-encrypt the secret again."))}b.isMDXComponent=!0},173:function(e,t,r){"use strict";r.d(t,"a",(function(){return p})),r.d(t,"b",(function(){return m}));var n=r(0),c=r.n(n);function a(e,t,r){return t in e?Object.defineProperty(e,t,{value:r,enumerable:!0,configurable:!0,writable:!0}):e[t]=r,e}function o(e,t){var r=Object.keys(e);if(Object.getOwnPropertySymbols){var n=Object.getOwnPropertySymbols(e);t&&(n=n.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),r.push.apply(r,n)}return r}function l(e){for(var t=1;t<arguments.length;t++){var r=null!=arguments[t]?arguments[t]:{};t%2?o(Object(r),!0).forEach((function(t){a(e,t,r[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(r)):o(Object(r)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(r,t))}))}return e}function s(e,t){if(null==e)return{};var r,n,c=function(e,t){if(null==e)return{};var r,n,c={},a=Object.keys(e);for(n=0;n<a.length;n++)r=a[n],t.indexOf(r)>=0||(c[r]=e[r]);return c}(e,t);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(e);for(n=0;n<a.length;n++)r=a[n],t.indexOf(r)>=0||Object.prototype.propertyIsEnumerable.call(e,r)&&(c[r]=e[r])}return c}var i=c.a.createContext({}),b=function(e){var t=c.a.useContext(i),r=t;return e&&(r="function"==typeof e?e(t):l(l({},t),e)),r},p=function(e){var t=b(e.components);return c.a.createElement(i.Provider,{value:t},e.children)},u={inlineCode:"code",wrapper:function(e){var t=e.children;return c.a.createElement(c.a.Fragment,{},t)}},d=c.a.forwardRef((function(e,t){var r=e.components,n=e.mdxType,a=e.originalType,o=e.parentName,i=s(e,["components","mdxType","originalType","parentName"]),p=b(r),d=n,m=p["".concat(o,".").concat(d)]||p[d]||u[d]||a;return r?c.a.createElement(m,l(l({ref:t},i),{},{components:r})):c.a.createElement(m,l({ref:t},i))}));function m(e,t){var r=arguments,n=t&&t.mdxType;if("string"==typeof e||n){var a=r.length,o=new Array(a);o[0]=d;var l={};for(var s in t)hasOwnProperty.call(t,s)&&(l[s]=t[s]);l.originalType=e,l.mdxType="string"==typeof e?e:n,o[1]=l;for(var i=2;i<a;i++)o[i]=r[i];return c.a.createElement.apply(null,o)}return c.a.createElement.apply(null,r)}d.displayName="MDXCreateElement"}}]);