Difficulty: beginner
Estimated Time: 10-15 minutes


Don’t stop now! The next scenario will only take about 10 minutes to complete.

Encrypt your Secret into a SealedSecret

Step 1 of 4

Step 1 -

kubectl create -f https://github.com/bitnami-labs/sealed-secrets/releases/download/$release/sealedsecret-crd.yaml

kubectl create -f https://github.com/bitnami-labs/sealed-secrets/releases/download/$release/controller.yaml

release=$(curl --silent "https://api.github.com/repos/bitnami-labs/sealed-secrets/releases/latest" | sed -n 's/.*"tag_name": *"\([^"]*\)".*/\1/p')

GOOS=$(go env GOOS)
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/$release/kubeseal-$GOOS-$GOARCH
sudo install -m 755 kubeseal-$GOOS-$GOARCH /usr/local/bin/kubeseal

kubectl create secret generic mysecret --dry-run --from-literal=foo=bar -o json >mysecret.json

kubeseal <mysecret.json >mysealedsecret.json

kubectl create -f mysealedsecret.json

kubectl get secret mysecret


kubectl get secret -n kube-system sealed-secrets-key -o yaml >master.key

NOTE: This is the controller's public + private key and should be kept omg-safe!

To restore from a backup after some disaster, just put that secret back before starting the controller - or if the controller was already started, replace the newly-created secret and restart the controller:

kubectl replace secret -n kube-system sealed-secrets-key master.key 
kubectl delete pod -n kube-system -l name=sealed-secrets-controller