DEV Community

Cover image for Sealed secrets - Create, Rename, Update and Delete
Ashok Nagaraj
Ashok Nagaraj

Posted on

Sealed secrets - Create, Rename, Update and Delete

#kubernetes #addon #secret

Bitnami sealed secrets have a simple, yet not straight-forward lifecycle due to multiple moving parts involved

Create 
# Assuming sealed-secrets was created with the helm chart way described in the previous post ❯ kubectl create secret generic db-creds --from-literal=user=adam --from-literal=password=paSSwoRD --dry-run=client -o yaml | kubeseal --controller-namespace=sealed-secrets --controller-name=ss-app-sealed-secrets -o yaml | kubectl apply -f - sealedsecret.bitnami.com/db-creds created ❯ kubectl get sealedsecrets.bitnami.com NAME AGE db-creds 10s # also created is a kubernetes secret named "db-creds" ❯ kubectl get secrets NAME TYPE DATA AGE db-creds Opaque 2 17s default-token-j8wnt kubernetes.io/service-account-token 3 6h11m
Enter fullscreen mode Exit fullscreen mode
Rename

Under normal circumstances renaming a sealed-secret fails the decryption bacause is part of the encryption/decryption in the default strict mode

❯ kubectl create secret generic db-creds-alpha --from-literal=user=adam --from-literal=password=paSSwoRD --dry-run=client -o yaml | kubeseal --controller-namespace=sealed-secrets --controller-name=ss-app-sealed-secrets -o yaml | kubectl apply -f - sealedsecret.bitnami.com/db-creds-alpha created ❯ kubectl get sealedsecrets.bitnami.com NAME AGE db-creds-alpha 84s # try editing the name from "db-creds-alpha" to "db-creds-beta" ❯ kubectl edit sealedsecrets.bitnami.com/db-creds-alpha A copy of your changes has been stored to "/var/folders/1w/9brxn3wn27b3xgk2t7hj5ns40000gn/T/kubectl-edit-1525276124.yaml" error: At least one of apiVersion, kind and name was changed
Enter fullscreen mode Exit fullscreen mode

For the secret to be rename-able, one needs to scope it to namespace-wide or cluster-wide

❯ kubectl create secret generic db-creds-alpha --from-literal=user=adam --from-literal=password=paSSwoRD --dry-run=client -o yaml | kubeseal --controller-namespace=sealed-secrets --controller-name=ss-app-sealed-secrets --scope=namespace-wide -o yaml | kubectl apply -f - sealedsecret.bitnami.com/db-creds-alpha created # edit name from "db-creds-alpha" to "db-creds-beta" ❯ vi /tmp/ss.yaml # apply and verify ❯ k apply -f /tmp/ss.yaml sealedsecret.bitnami.com/db-creds-beta created # a new secret with the new name is created ❯ k get sealedsecrets.bitnami.com NAME AGE db-creds-alpha 3m4s db-creds-beta 7s
Enter fullscreen mode Exit fullscreen mode
Update 
# assume sealed-secret is in sealed-secret.yamlecho -n adminDatabase | kubectl create secret generic mysecret --dry-run=client --from-file=db_name=/dev/stdin -o yaml | kubeseal --controller-namespace=sealed-secrets --controller-name=ss-app-sealed-secrets --merge-into sealed-secret.yaml ❯ kubectl apply -f sealed-secret.yaml sealedsecret.bitnami.com/db-creds configured ❯ k get secret db-creds -o json | jq ".data | map_values(@base64d)" { "db_name": "adminDatabase", "password": "paSSwoRD", "user": "adam" }
Enter fullscreen mode Exit fullscreen mode
Delete 
❯ kubectl delete sealedsecrets.bitnami.com db-creds sealedsecret.bitnami.com "db-creds" deleted # Note: this also deletes the kubernetes secret named "db-creds"
Enter fullscreen mode Exit fullscreen mode

Top comments (0)