Installing Sealed Secrets

This workshop has been deprecated and archived. The new Amazon EKS Workshop is now available at www.eksworkshop.com.

Installing the kubeseal Client

For Linux x86_64 systems, the client-tool may be installed into /usr/local/bin with the following command:

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/kubeseal-0.18.0-linux-amd64.tar.gz
tar xfz kubeseal-0.18.0-linux-amd64.tar.gz
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

For MacOS systems, the client-tool is installed as follows:

brew install kubeseal

Installing the Custom Controller and CRD for SealedSecret

Install the SealedSecret CRD, controller and RBAC artifacts on your EKS cluster as follows:

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/controller.yaml
kubectl apply -f controller.yaml

Check the status of the controller pod.

kubectl get pods -n kube-system | grep sealed-secrets-controller

Output:


sealed-secrets-controller-7bdbc75d47-5wxvf   1/1     Running   0          60s

The logs printed by the controller reveal the name of the Secret that it created in its namespace, kube-system, and which contais the private key pair used by the controller for unsealing SealedSecrets deployed to the cluster. Note that the name of the controller pod will be different in your cluster.

kubectl logs sealed-secrets-controller-84fcdcd5fd-9qb5j -n kube-system

Output:


controller version: v0.16.0
2021/07/14 21:26:59 Starting sealed-secrets controller version: v0.16.0
2021/07/14 21:26:59 Searching for existing private keys
2021/07/14 21:27:01 New key written to kube-system/sealed-secrets-keydw62x
2021/07/14 21:27:01 Certificate is
-----BEGIN CERTIFICATE-----
MIIErTCCApWgAwIBAgIQR5dpRFfh++CnGZuOc5bfGjANBgkqhkiG9w0BAQsFADAA
MB4XDTIxMDcxNDIxMjcwMVoXDTMxMDcxMjIxMjcwMVowADCCAiIwDQYJKoZIhvcN
(...)
vqXZrlmfM7ScQRMSnD5QiqaT3I2F2vpZgTyCvto8rcG62lmUAhKqPXqopBRJx+Of
K4MhPVDg6t0YdZFYH6+oKW7OGLR2rp4KBoIYfO/KPZMCYVayNiGPQT6kAr2C/pFu
Lg==
-----END CERTIFICATE-----

2021/07/14 21:27:01 HTTP server serving on :8080

As seen from the logs of the controller, it searches for a Secret with the label sealedsecrets.bitnami.com/sealed-secrets-key in its namespace. If it does not find one, it creates a new one in its namespace and prints the public key portion of the key pair to its output logs. View the contents of the Secret which contais the public/private key pair in YAML format as follows:

kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml

Output:


apiVersion: v1
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
items:
- apiVersion: v1
  kind: Secret
  type: kubernetes.io/tls
  metadata:
    creationTimestamp: "2021-07-14T21:27:01Z"
    generateName: sealed-secrets-key
    labels:
      sealedsecrets.bitnami.com/sealed-secrets-key: active
    name: sealed-secrets-keydw62x
    namespace: kube-system
    resourceVersion: "1968"
    uid: 65cb8421-3b2b-4e64-9499-1e61536bdbc4
  data:
    tls.crt: LS0tLS1CRUdJTiBDRVJUSU(...)S0tCg==
    tls.key: LS0tLS1CRUdJTiBSU0EgUF(...)S0tLS0K