kubeseal을 이용한 secret 암호화.
- sealed-secrets repo 설치
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets- SealedSecret 설치
helm install sealed-secrets sealed-secrets/sealed-secrets -n kube-system-
secret 준비
apiVersion: v1 kind: Secret metadata: name: database-secret namespace: myspace stringData: DB_USER: "postgres" DB_PASSWORD: "postgres123" -
sealed-secrets 진행
cat input-secret.yaml | kubeseal --controller-name=sealed-secrets -oyaml > output-sealedsecret.yaml--controller-name=sealed-secrets: sealed-secrets를 명시적으로 지정해줘야 키를 불러와 암호화 가능, default = sealed-secrets-controller
-
결과확인
--- apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: creationTimestamp: null name: database-secret namespace: myspace spec: encryptedData: DB_PASSWORD: AgCTviu9RuN7h0QzQzU1n/jre2f5QSJSETZvyGyqHlZkbh+GUEUUpffWLm68rlVmVtYqmcBktxcj3cNLKf+sJJbescJDfacpld1S7juXGzrxuuwV1nrZVKdKpzXjPfU4I6xRmUufwp+ODJzyoI6knPsmCRCUH2ufvFLkavFLVqXZXG70ln3U0Ceq+VLf3qo97Ekm//HpUdmBJUvDJYpQ2bgBUbaXbdKa6jU3G9nzXMMDZJcOABAOn4TIgtaHgISvZa/dec69RZNqGmyrcsKStXQpC6oXbh4WAqVPn+p0Z7yI0atft75AXE76P+L9TV8BpP9nfvI6Y+BNdo2XkoDEZl7MJUFcNX/stmIG05uGBrPBDT81thUsc0iNsShUvCl4Jkw09f7vF4Iod7XFSvT3S92RIX4sS1JEPM3Yn1XgUG4fP131jEI1ttmoru1JDNdWhblaZve/oOYO+eazkohVokoxwKMhaqEk7jHZa/qTNjIiDvEVhWnSBogj06HcWJ+cvKssn+yvTmhjnR7bYb8L8rfs0aBJCCO0GEeAQ+DiQMg/crTlDiuCRmegpu/eIv09ah+sqoOz1ZerdMrhBWAyZpgFOJo83GoVq3Xs0wufrwR6GkDaqpCbDLxlR9k+MT6hYezT05AM1xn147ZyG9tNS2HPz1uP+eqRbnQSlDx2bUNKbqbMFQM4e/pwbSy+JvHRfg59aQJEXrtx7KkI DB_USER: AgALsb0scjpyXoordCJoxUNrOpsuf8pyXdBhq2wX9LMYbiqm/dFzqnWfP/rOPpoYXrCwM4mHYrfwn+1tcmxXsF9P7FfawKYsOF4f8yJTJZmq5HiJDPDwT5LdwG+5IuWotdQvQGBTNTveA+gjXDgy30LRtxVtiDpnuEW+0PV5An5MnFB06S+nY+2gNN7qpR0exTBy+XXaoX9thdssD3FjbEIrLdtLpgvsQ/GLwnqoz6wn7qVkpK42Hz63HzHxcjSlIetjx+vllHu3s10ELtXbmkSxs1EgOF5+xqbJbimQhudc/aGEpWlQJUXz0LpJvXYF+1RKkyd1aepu1JNHZO4CcdyGhUHmEGxeEcr3+P5hCGWPe4aRUl3PnKZZrPrWmHCta3lKQS49bdCjAZ0aiENFuRP71vIrIWMauRnD36ug7B1T2l1mT1lvtLcHugKPkpQz1OX7UNpBn6Xl6Y6AJtyr7YKB5rtTNyjkDarXVlpRcKpIRmgrONfhoVpPKtsJwn7iLpc21ZpTBuqvAPakzhku74SPmU3G6rpIstgzaF5t8kIoTRve9/meTrwAFyzDI2++MPgEmISDdM6z1yEEovPwZr4gLFKs/hJez2nS/CHXwc3uexMBMBlnZI21xlZm37n+ApSLNNDLlKPO5Pl5L5xmy1asaxTz1qM/CMv/avUd/YwG7xyZtXSoPLE1IXHgdXvjk8AExhWivSbiJA== template: metadata: creationTimestamp: null name: database-secret namespace: myspace
로컬에서 서버의 kubeseal 퍼블릭키 로 seal 진행
-
운영 체제에 맞는 kubeseal 설치
# in MAC brew install kubeseal -
서버 seal controller 의 퍼블릭 키 가져오기
kubeseal --fetch-cert > mycert.pem
-
로컬에서 해당 퍼블릭 키로 명령어 진행
cat input-secret.yaml | kubeseal --cert sealed-secret.pem -oyaml > output-sealedsecret.yaml
가끔 기록하는 velog