HiveBrain v1.2.0
Get Started
← Back to all entries
snippetbashTip

kubeseal — Client-side utility for encrypting Kubernetes secrets using the Bitnami Sealed Secrets controller. C

Submitted by: @import:tldr-pages··
0
Viewed 0 times
clitldrkubesealcommand-line
commandclientencryptingkubesealcliutilityforside

Problem

How to use the kubeseal command: Client-side utility for encrypting Kubernetes secrets using the Bitnami Sealed Secrets controller. Creates SealedSecret resources that can be safely stored in version control. Requires a controller running in the cluster (e.g., installed via kubectl apply --filename controller.yaml). More information: <https://github.com/bitnami-labs/sealed-secrets>.

Solution

kubeseal — Client-side utility for encrypting Kubernetes secrets using the Bitnami Sealed Secrets controller. Creates SealedSecret resources that can be safely stored in version control. Requires a controller running in the cluster (e.g., installed via kubectl apply --filename controller.yaml). More information: <https://github.com/bitnami-labs/sealed-secrets>.

Encrypt a Kubernetes secret from a YAML file into a SealedSecret (default JSON output):
kubeseal < {{secret.yaml}} > {{sealedsecret.json}}


Encrypt a secret, outputting it in YAML or JSON format, using a bearer token for API authentication:
kubeseal < {{secret.yaml}} {{[-o|--format]}} {{yaml|json}} --token {{my-bearer-token}} > {{sealedsecret.yaml}}


Seal a secret using a specific controller namespace of sealed-secrets controller and name:
kubeseal < {{secret.yaml}} --controller-namespace {{controller-namespace}} --controller-name {{controller-name}} > {{sealedsecret.yaml}}


Encrypt a raw secret value from a file with a specified name and scope:
kubeseal --raw --from-file {{path/to/secret.txt}} --name {{my-secret}} --scope {{strict|namespace-wide|cluster-wide}} > {{sealedsecret.yaml}}


Fetch the controller's public certificate for offline sealing with basic auth:
kubeseal --fetch-cert --username {{username}} --password {{password}} > {{cert.pem}}


Seal a secret offline using a fetched certificate:
kubeseal < {{secret.yaml}} --cert {{cert.pem}} > {{sealedsecret.yaml}}


Merge a secret into an existing SealedSecret file in-place:
kubeseal < {{secret.yaml}} --merge-into {{sealedsecret.yaml}}


Validate a SealedSecret without applying it:
kubeseal < {{sealedsecret.yaml}} --validate

Code Snippets

Encrypt a Kubernetes secret from a YAML file into a SealedSecret (default JSON output)

kubeseal < {{secret.yaml}} > {{sealedsecret.json}}

Encrypt a secret, outputting it in YAML or JSON format, using a bearer token for API authentication

kubeseal < {{secret.yaml}} {{[-o|--format]}} {{yaml|json}} --token {{my-bearer-token}} > {{sealedsecret.yaml}}

Seal a secret using a specific controller namespace of sealed-secrets controller and name

kubeseal < {{secret.yaml}} --controller-namespace {{controller-namespace}} --controller-name {{controller-name}} > {{sealedsecret.yaml}}

Encrypt a raw secret value from a file with a specified name and scope

kubeseal --raw --from-file {{path/to/secret.txt}} --name {{my-secret}} --scope {{strict|namespace-wide|cluster-wide}} > {{sealedsecret.yaml}}

Fetch the controller's public certificate for offline sealing with basic auth

kubeseal --fetch-cert --username {{username}} --password {{password}} > {{cert.pem}}

Context

tldr-pages: common/kubeseal

Revisions (0)

No revisions yet.