The encrypted file can be saved to Gitlab to create an encrypted file:
$ k create -f sealed-secret-example.yaml
sealedsecret.bitnami.com/secret-example created
$ k get sealedsecrets.bitnami.com
NAMEAGE
secret-example 6s
After creating the encrypted file, the Controller will decrypt and generate the corresponding secret:
$ k get secrets |grep secret-example
secret-example Opaque1 2m15s
View the content of the secret resource generated by the Controller, and you can see that data.secret is consistent with the content of the secret-example.yaml file created above:
Note: SealedSecret and the corresponding secret resource must be in the same namespace.
② TIPs
kubeseal supports the following APIs:
Route
Description
/healthz
Health check route useful for the readiness and liveness probes and for creating an external probe; for example with blackbox exporter
/metrics
Endpoint for the Prometheus to retrieve the controller’s metrics
/v1/verify
Validates a secret
/v1/rotate
Rotates the secret
/v1/cert.pem
Retrieves the public certificate
In the above example, the certificate used by the Controller is generated by itself, and you can also specify your own certificate, which is more convenient for migration and management. There may be confusion when using KubeSeal. If users directly mount secrets in other namespaces, this may lead to secret leaks. Officials have explained this, such as the namespace and resource types that users can access through RBAC.