sealed-secrets

发表于 更新于 分类于 本文字数: 5.6k 阅读时长 ≈ 5 分钟

安装 Controller

部署项目资源

1
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.27.0/controller.yaml

安装二进制命令

安装目前最新版本0.27.1

1
2
3
4
KUBESEAL_VERSION='0.27.1' # Set this to, for example, KUBESEAL_VERSION='0.23.0'
curl -OL "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION:?}/kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz"
tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

加密现有的 secret

现有的 secret 的配置文件

1
2
3
4
5
6
7
8
apiVersion: v1
kind: Secret
metadata:
  name: secret-data
type: Opaque
data:
  username: 'YWRtaW4='
  password: 'MWYyZDFlMmU2N2Rm'

使用kubeseal加密 secret

1
kubeseal < secret.yaml > sealed-secret.yaml -n doubao

加密后的 sealed-secret.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
{
  "kind": "SealedSecret",
  "apiVersion": "bitnami.com/v1alpha1",
  "metadata": {
    "name": "secret-data",
    "namespace": "doubao",
    "creationTimestamp": null
  },
  "spec": {
    "template": {
      "metadata": {
        "name": "secret-data",
        "namespace": "doubao",
        "creationTimestamp": null
      },
      "type": "Opaque"
    },
    "encryptedData": {
      "password": "AgBeGhg/QichjPxn1IiFNp07imo3srzor8eiXkm9KKQcB3KHVMza1QId1JlJNLntrA7J+9dX78TbIZ8b3ioqfGInZPe89PhN4BBS0RZDLarn6+Lh3Yl9g4e+EA+7bNVkm8Sk1iEABO5cTJ3VW2rZiIBp0ENl62LBPhR9BYvQLiN0T/e8LCgVOs9nzByjXjDdxRL1R6jhLIpVhyvTQ7hzy6c348EJlxU/3/mX+efMnAiwZpiF0b/OJThW8Yg3CuKicNaK/zhBLt7QwZ33oqA9EnD2px+LPQnPNUXJW6mM+g/vszJMoEFhQJRev5ghZwkDeya/5lOaPCvMG31cYKShvqLGbW31+csWimMbXmom31sDTnp8j+BBji+1hnfkCC5cjE8RVrUPcc6Mhv/JBxkjVxuzJblfH+qHdr+7LTvMXPw7sgfTtQedb4pQ77wk6FWaIXMs8pud92UFaubF2+XTERKkPLik5b6sRX33Cc+quUfg2kxnUCnX+qmMXl6YleFw8j8uBLMH+NREHzVPLmAQmbf5xUD5Opi1cID2ySVfNNI+vEhMCNh1DtXy5WhFUS0Qy+lknmLW/V+IGKDVXD19wxL9OK9ClfSmWjRVinL5Wez9fIiPLvry3L69cavzd3OJDAWQoOCkGRKNXLt5YyW/cnR2Dz9IiRs3/I8PfrAewqmEU1nwyHAuWOo3JpoXrWI/9l9Ny75mjvgK2NZPf9I=",
      "username": "AgC59C1VoIEqqimk9iiyeGULkW9aYKG4oacXXGPY0K1+Nd2q0U9fC1N5emnrjV7pRaCH3VdCgvOMyHSBnNv5Xk2ZtNRRlBdjhJoABhixvTrxPz2Q9Fk2pApZriZ51jGeVH6XtOwrKfCB1SrTHjC5Y5A9ZXB3NkQmOX0bKVZVAKD/Vg2Y7ZZxvi/ZmL6WbBYWypneb3x5Tgn6d+POIsD6qURw0xEwmeneNlZDqmGraBW0y5Ry4bYfIqG7ra/ukMqMaKj9eBL3ROSNKPPCXFpI8sLt6BxUjJ7dlPo5b787yXYzhQl8skIb7WtPSuiBms/fKqrIEklNCI/enReHDJezS6nNOkjA/wWgcfwkcyuBOrqkJUp2YToXX1QJivmeQGHjBiM6Y271skkv7D+F+B2qT6ZjZ5SgSbECuAzsp7UxO79KsAOTzBzYIk70NkWxKUT+VunMABxVZz5dCOtxVa0eq050X7pzEp1i7fZ4PLupNwz6rJvNopgIKopQo4dxNo2szD9Lwvd6sQRdl0X8la2ShNX83Zwprlv/UBd+4dPlteGFrrq1xKSXW7K7mXFYYJDoJBmGiZYwUmSaVvIErwYoC1AmVUCxp97GcpEV0ndyK+o9zAL5NAnVPSa/jxlcTWAqHF9ssXM4095RR1L85V0v9+URZ1ngoeRnkrWownF34RYWoqZArwj0DGgHI3NmQs+C7jq2EqppWw=="
    }
  }
}

应用到集群中

当 apply 后,SealedSecret会帮忙管理原有的 secret,如果想查看原值,可以在 k8s 集群中查看。

SealedSecret加密后的密文,可以提交到 git 上,因为加解密都在 k8s 集群中的 SealedSecret Controller 中执行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@devops:~/argo# kubeseal < secret.yaml > sealed-secret.yaml -n doubao
root@devops:~/argo# cat sealed-secret.yaml
{
  "kind": "SealedSecret",
  "apiVersion": "bitnami.com/v1alpha1",
  "metadata": {
    "name": "secret-data",
    "namespace": "doubao",
    "creationTimestamp": null
  },
  "spec": {
    "template": {
      "metadata": {
        "name": "secret-data",
        "namespace": "doubao",
        "creationTimestamp": null
      },
      "type": "Opaque"
    },
    "encryptedData": {
      "password": "AgAOcZC6+c6tpm0g0+DDVYNOF2Qzy+PoEhJahpFoJncgCH7WYTmGW3PgygT9YlveVoC3gft4BsFHsCmB8m9Q/Dph4dkQWwcS8LtcEk5Zbtt0aeFyHD6LFGaKt7DB9N7XsF3HDu1RxEbTlEsalzIvTgoG3wovk3WimkrWaidIa2a4TY+lXgfjoKEG6ci9c4tUdFHPgTVuBxHTrgASnUjY535Gy06KyBRCEz42l7D+J7uUXOFC+FKkMqmSjN0g/uJTErMRg0oacqY4XprP6HKt7ugHtBrHOZgvrEhULbQOsTi9D/ZdXBwgWQDor8TqjI3yGvSkNC9/DJA0IEQc/xft2/YK+SZy1MbCeOTUXDIsQFAiI+BA39b3ZjIKjDtw78OqwNqU5KcHzPzpAzKjvqS3Q+vl6LPPhZMus05wNILgo3T5sq1kqc7ZHduIPCkleCxNJI9rh/dQM+Cj7hlGRjC3NYIOSW8L2vyC1gwAJ/esq6Ric2h4x8yeYZFDZrozDRtYNXF0+TgAZJsgQ+GzHrc6w8YsslFrmokwg89vAKNzYw+uPlBYFHMaYR+cU11baMROs0l35RRVP9MUc2YVpPOwVwJDjv5p74ua2bSMs9wz4vaIyCytwApsxQzvPWc+oHFJ8Wp0ZD1C8oiC5hHefhIfu0nADBvK87ZnE5NrHp4AFaeywAlT4npMdqPhmrT1CY6UUaBwWNy2qTc3g4OYpbs=",
      "username": "AgBufp8vfJpJ/IdXs3z4Etxi7mKt1s6dNjvXxBcdE2If6X1mzDjm78jbu+1yxo1d/yTdv28uibTghQlIBHRNa6uQlWxz+Nl6UBIKBm7yYlXZYvmC/cqbzNw28SbuEwhUGKycznz5+M81Aj+kQMLCgLGvCD7qCgOf2G5fljb6/z0icGIjlWnMX3wZ/en66mgik91tCZaHrd01EW1uAcywY075y7tGf4N7sIhn3USkFOpPAuowUYWSYSEvEUbmZ1HXj/h3eVU7E6lbc28RepqsYZLasLRdSdmQmZZjaQoynQ47vgOwI+IrN0DlwqffHX4cyiGSeZXNvD6ORmoEaJwlr/uL9O67MktdysjQSdHlkZdW4yL2Foftmr7o9893/Ut6FOHy2qATGhmVRjC+IwxM5r/iizJuxov30+GuOu2KAXhRfjsHMs6nKFv+j8iXlA24qPjh5Y/aa3nopAzuojWHoDhCJgFS9z+hH1UdSifw8N4V5/mAM3v2MUGWtMLelLNtrgKwt24lNULfGZCp4D9e00ANpwSccGMm0WukvxzWrBhCfDP+tatnqts6XlRjUeV1wfy2j2xTRuuDhx5a5wS30rWa7Ij5xtI3/1MFv24qeWFn6TG7aIYzkV2n04GO5ruc3M/wfzZDX/kRHaujJwo7yqE3BNujN2uYyHSuYwPOgbJceVlFb9txjuy2GRZvBWT6gtRCCocE5A=="
    }
  }
}
root@devops:~/argo# kubectl apply -f sealed-secret.yaml -n doubao
sealedsecret.bitnami.com/secret-data configured

查看 pod 中引用结果

1
2
3
4
5
6
7
8
root@devops:~/k8s# kubectl get po -n doubao
NAME                     READY   STATUS    RESTARTS   AGE
nginx-d56bbf567-s94bw    1/1     Running   0          14h
redis-6b5f9c8866-hdlmc   1/1     Running   0          14h
root@devops:~/k8s# kubectl exec -it -n doubao redis-6b5f9c8866-hdlmc  bash -- env|grep -E 'user|pass'
password=1f2d1e2e67df
username=admin
root@devops:~/k8s#