Certificates that are used to seal secrets are generated using the following command:
openssl req -x509 -days 365 -nodes -newkey rsa:4096 -keyout "private.key" -out "public.crt" -subj "/CN=sealed-secret/O=sealed-secret"
Encrypting and decrypting larger files is done with a symmetric key, which is generated using the following command:
openssl rand -base64 32 > symmetric.key
More info on how to generate new certificates can be found here:
https://github.com/bitnami-labs/sealed-secrets/blob/main/docs/bring-your-own-certificates.md
kubectl -n "kubeflow-planckster-secrets" create secret tls "bitnami-certificates" --cert="public.crt" --key="private.key"
or if working on a standalone manifest file
kubectl -n "kubeflow-planckster-secrets" create secret tls "bitnami-certificates" --cert="public.crt" --key="private.key" --dry-run=client -o yaml > bitnami-certificates.yaml
kubectl -n "kubeflow-planckster-secrets" label secret "bitnami-certificates" sealedsecrets.bitnami.com/sealed-secrets-key=active
or if working on a standalone manifest file
kubectl patch -f bitnami-certificates.yaml -p '{"metadata": {"sealedsecrets.bitnami.com/sealed-secrets-key": "active"}}' --dry-run=client -o yaml > bitnami-certificates.yaml
kubectl -n "kube-system" delete pod -l name=sealed-secrets-controller
Make sure you have access to the private key and the public certificate: private.key
and public.crt
.
kubectl create secret generic env-secret -n istio-system --dry-run=client --from-env-file=file.env -o json > env-secret.json
kubeseal --cert public.crt <env-secret.json > env-secret-sealed.json