Help us understand the problem. What is going on with this article?

SecretをGitHubに登録したくないのでSealedSecretを使う

KubernetesでGitOpsを実践しようと思ったとき、Secretをどのように管理するべきか疑問に思います。Secretは単にbase64でエンコードされているだけなので、PublicなGitHubリポジトリにそのままあげるわけにはいきません。
解決策はいくつかあると思いますが、GitOpsの提唱者であるWeaveworksはFAQでひとつの解決策としてSealdSecretをあげています。どのような動作なのかMinikubeで確認してみます。

以下の環境で確認しました。

コンポーネント バージョン
Minikube v1.0.0
Kubernetes v1.14.0
Helm v2.13.1
sealed-secretチャート 1.0.2
sealed-secret 0.7.0

仕組み

SealedSecretはBitnamiが開発するOSSです。いわゆるCRD(Custom Resource Definition)で、クラスター内ではこのCRDを管理するSealedSecret Controllerを稼働させます。SealedSecretは公開鍵暗号を使用します。コントローラーが秘密鍵を持ちます。ユーザーは公開鍵を使ってSecretを暗号化してSealdSecretをリソースを作成します。SealdSecretリソースをクラスター内に作成すると、コントローラーがSealdSecretを復号し、Secretを作成します。

image.png

クラスターの中で復号が行われるのが特徴的なところで、Weaveworksの提唱するpull型のGitOpsの場合はこのような方法がマッチするのだろうと思います。push型のGitOpsの場合はkubesecのようなツールで復号してからkubectl applyするのでもよいかもしれません。

導入

Minikubeの起動

Minikubeを起動します。

コマンド
minikube start
実行例
$ minikube start
😄  minikube v1.0.0 on darwin (amd64)
🤹  Downloading Kubernetes v1.14.0 images in the background ...
🔥  Creating virtualbox VM (CPUs=2, Memory=2048MB, Disk=20000MB) ...
💿  Downloading Minikube ISO ...
 142.88 MB / 142.88 MB [============================================] 100.00% 0s
📶  "minikube" IP address is 192.168.99.122
🐳  Configuring Docker as the container runtime ...
🐳  Version of container runtime is 18.06.2-ce
⌛  Waiting for image downloads to complete ...
✨  Preparing Kubernetes environment ...
💾  Downloading kubelet v1.14.0
💾  Downloading kubeadm v1.14.0
🚜  Pulling images required by Kubernetes v1.14.0 ...
🚀  Launching Kubernetes v1.14.0 using kubeadm ...
⌛  Waiting for pods: apiserver proxy etcd scheduler controller dns
🔑  Configuring cluster permissions ...
🤔  Verifying component health .....
💗  kubectl is now configured to use "minikube"
🏄  Done! Thank you for using minikube!
$

Helmのインストール

Sealed Secret Controllerは公式サイトの手順の通りyamlをkubectl applyすることでも導入できますが、Helmでも導入できます。今回はHelmを使いたいので、Helmを使えるようにします。

helmを初期化し、クラスターにtillerを導入します。

コマンド
helm init
実行例
$ helm init
$HELM_HOME has been configured at /Users/sotoiwa/.helm.

Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.

Please note: by default, Tiller is deployed with an insecure 'allow unauthenticated users' policy.
To prevent this, run `helm init` with the --tiller-tls-verify flag.
For more information on securing your installation see: https://docs.helm.sh/using_helm/#securing-your-helm-installation
Happy Helming!
$

SealedSecret Controllerのインストール

sealed-secretのチャートを確認します。

コマンド
helm repo update
helm search sealed-secret
helm inspect values stable/sealed-secrets
実行例
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈
$ helm search sealed-secret
NAME                    CHART VERSION   APP VERSION DESCRIPTION
stable/sealed-secrets   1.0.2           0.7.0       A Helm chart for Sealed Secrets
$

チャートのパラメータを確認します。

コマンド
helm inspect values stable/sealed-secrets
実行例
$ helm inspect values stable/sealed-secrets
image:
  repository: quay.io/bitnami/sealed-secrets-controller
  tag: v0.7.0
  pullPolicy: IfNotPresent

resources: {}
nodeSelector: {}
tolerations: []
affinity: {}

serviceAccount:
  # serviceAccount.create: Whether to create a service account or not
  create: true
  # serviceAccount.name: The name of the service account to create or use
  name: ""

rbac:
  # rbac.create: `true` if rbac resources should be created
  create: true

# secretName: The name of the TLS secret containing the key used to encrypt secrets
secretName: "sealed-secrets-key"

crd:
  # crd.create: `true` if the crd resources should be created
  create: true
  # crd.keep: `true` if the sealed secret CRD should be kept when the chart is deleted
  keep: true

$

特にカスタマイズが必要なパラメータもなさそうです。yamlで導入する場合のデフォルトの導入先がkube-systemなので、それにならって導入先のNamespaceにはkube-systemを指定してインストールします。

コマンド
helm install --name sealed-secrets \
  --namespace kube-system \
  stable/sealed-secrets
実行例
$ helm install --name sealed-secrets \
>   --namespace kube-system \
>   stable/sealed-secrets
NAME:   sealed-secrets
LAST DEPLOYED: Tue Apr 30 00:02:19 2019
NAMESPACE: kube-system
STATUS: DEPLOYED

RESOURCES:
==> v1/ClusterRole
NAME              AGE
secrets-unsealer  0s

==> v1/ClusterRoleBinding
NAME            AGE
sealed-secrets  0s

==> v1/Deployment
NAME            READY  UP-TO-DATE  AVAILABLE  AGE
sealed-secrets  0/1    1           0          0s

==> v1/Pod(related)
NAME                             READY  STATUS             RESTARTS  AGE
sealed-secrets-7d9f58567c-z9p62  0/1    ContainerCreating  0         0s

==> v1/Role
NAME                      AGE
sealed-secrets-key-admin  0s

==> v1/RoleBinding
NAME            AGE
sealed-secrets  0s

==> v1/Service
NAME            TYPE       CLUSTER-IP      EXTERNAL-IP  PORT(S)   AGE
sealed-secrets  ClusterIP  10.107.197.241  <none>       8080/TCP  0s

==> v1/ServiceAccount
NAME            SECRETS  AGE
sealed-secrets  1        0s

==> v1beta1/CustomResourceDefinition
NAME                       AGE
sealedsecrets.bitnami.com  0s


NOTES:
You should now be able to create sealed secrets.

1. Install client-side tool into /usr/local/bin/

GOOS=$(go env GOOS)
GOARCH=$(go env GOARCH)
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/$release/kubeseal-$GOOS-$GOARCH
sudo install -m 755 kubeseal-$GOOS-$GOARCH /usr/local/bin/kubeseal

2. Create a sealed secret file

# note the use of `--dry-run` - this does not create a secret in your cluster
kubectl create secret generic secret-name --dry-run --from-literal=foo=bar -o [json|yaml] | kubeseal --format [json|yaml] > mysealedsecret.[json|yaml]

The file mysealedsecret.[json|yaml] is a commitable file.

If you would rather not need access to the cluster to generate the sealed secret you can run

kubeseal --fetch-cert > mycert.pem

to retrieve the public cert used for encryption and store it locally. You can then run 'kubeseal --cert mycert.pem' instead to use the local cert e.g.

kubectl create secret generic secret-name --dry-run --from-literal=foo=bar -o [json|yaml] | kubeseal --format [json|yaml] --cert mycert.pem > mysealedsecret.[json|yaml]

3. Apply the sealed secret

kubectl create -f mysealedsecret.[json|yaml]

Running 'kubectl get secret secret-name -o [json|yaml]' will show the decrypted secret that was generated from the sealed secret.

Both the SealedSecret and generated Secret must have the same name and namespace.



$

使い方

使い方はhelmのインストール時のメッセージにだいたい書いてあります。

kubesealの導入

kubeseal CLIを導入します。Macの場合はHomebrewで入ります。Linuxの場合はここからバイナリをダウンロードしてきて/usr/local/binとかにおきます。

コマンド
brew install kubeseal
実行例
$ brew install kubeseal
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 1 tap (homebrew/cask).
No changes to formulae.

==> Downloading https://homebrew.bintray.com/bottles/kubeseal-0.7.0.mojave.bottle.tar.gz
==> Downloading from https://akamai.bintray.com/99/99ee78122f26f43c836cf29fa746138997896df6b4a01bd3dce9a4b6525cb267?__gda__=exp=1556551076~hmac=0fc854f5620592b5ff699125caa794c7c9633b68bf52c0d5245a24b418
######################################################################## 100.0%
==> Pouring kubeseal-0.7.0.mojave.bottle.tar.gz
🍺  /usr/local/Cellar/kubeseal/0.7.0: 3 files, 26.7MB
$

証明書(公開鍵)の取得

クラスターで稼働するコントローラーから公開鍵を取得します。

コマンド
kubeseal --fetch-cert \
  --controller-namespace=kube-system \
  --controller-name=sealed-secrets \
  > pub-cert.pem

取得した証明書(公開鍵)を確認します。

$ ls -l | grep pub-cert.pem
-rw-r--r--    1 sotoiwa  staff   1684  4 30 00:10 pub-cert.pem
$ cat pub-cert.pem
-----BEGIN CERTIFICATE-----
MIIErTCCApWgAwIBAgIQHTXayoq+Iq9/ryv03tSr7zANBgkqhkiG9w0BAQsFADAA
MB4XDTE5MDQyOTE1MDIyOFoXDTI5MDQyNjE1MDIyOFowADCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAMS3EVFMVS0hlJJKsXVnchEBaoTcH0wfXnz2DlMv
qMQ17N8/D4+vnqGIyMLF+9KiklocP8FQH6LYX7GXZoBjq1wtuGnJ5GXnf0VUdN7T
chrIyq5peBjcRwY1is4uhKfwWU4OyLInswCN4llxTtE4L30qKrOhDyDcpUOyEPJl
kulY5DDJxMg4FhMjcRTMecIvcUgcBNmRa8hRQtvYm6RM/1hdAjzUZVO62apWuTPU
9vo7/RosA2ZCRcDjDblkH2ry7G6s5mPaz3uhOwHALnmvqRjO2ZFmyFwvLKFRmKYa
5t0A64YCPu5SWB4D19pMcPvPRbE9+OnNzrfLCwniEA+90a30KoKyOk7fJo3NVlxE
f+Ejd30V+EaFgSQbDGbw0jNVDeT5GCJANI1pbdLBy8ZQaDBU4vISzKL7/4wa3uTb
A2RH4TApfQ0cjlpdgLWxBhShHwL9WJejJs2yR/pr9UotizOW/ujig1dyDbxxAKtf
23pJXYak8fqpp+bHNEBmGravd1HWpDLwQo5p/porDY+D+sUyECv9LLy4ACY7756j
hPCaBHpD0IYmo7hPGWZa7KoCpypVVzoGFMfbvEPSl3yBVKXIaGJVKpH+lbqR0qCw
OAOmMhu69eiE2QGxllmV1ggt7lxb/6Bqju6mn787EISaR5zalpvO35Q4ibrUcIrc
eeXRAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwIAATAPBgNVHRMBAf8EBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4ICAQC79XL4STzcK10Nn+fijxlv6e3GNw1Licy+e/ax34gV
BSEKNuMHyn7xBF+yHAutmIq4zPs79WM5sHpCxFg++9mM/iwIyemuiTP2epyFv6su
UuWu9bpk6canL0Pv3Janj6ldyOd0DdmS+jO03IaKpmG/wGWgXAobXmOOSVxxoQzU
QXcCCY/CwKH+QmbnQvR7g7LxiHmNW9Ou6WCoTkMoNoxZFnVVr7yHZTkjKzJx+eO0
vFfs1aRxC0N0ZBdYxIAitbcatSQtohM6UEo/FBhihrsmfGJZlQo7sw4U8LZ64wyq
qNVg9xjaMg8M1wGpQcwn8vEfZr55+Spu//UqBLw02ipIaiSXUZ6nGZ0sC1EI77vl
PnRJTr41vwD5tQ5IZPs0FJeezLnUOYBskVGIWhlsUnRtD4hVEhI9MnYqC8L01lR/
8uz7vXpQFPsTQyb7tw5mKry5OuDZNOZbqIlkavt+WdLSHjbjyjlU455UDHb8+yTb
A1sHGAb9AjAWv0Dz2ElzY602ZOHPdrfCdR92tW348ySAK5IgrGUmg48lZeGTimoE
sYtMUqbipFETruwma2a2s9MFGfeO4qDZAAty3etOWgSib0ic/l+vmHw+ZFjdme/3
LOaGq9cAmI0nbsj/tLx+locAOVEPbEVoU5FkF7kXVrifBbafXSUWE0X3W9NcBKyp
yQ==
-----END CERTIFICATE-----
$

Secretの暗号化

--dry-runオプションを使って、Secretリソースのyamlファイルを作成します。

kubectl -n default create secret generic mysecret \
  --from-literal=user=admin \
  --from-literal=password=admin \
  --dry-run \
  -o yaml > mysecret-secret.yaml

以下のようなSecretのyamlができます。

mysecret-secret.yaml
apiVersion: v1
data:
  password: YWRtaW4=
  user: YWRtaW4=
kind: Secret
metadata:
  creationTimestamp: null
  name: mysecret
  namespace: default

kubesealコマンドで、証明書(公開鍵)を指定してSecretからSealdSecretを作成します。ちなみにyamlでもjsonでも扱えます。

kubeseal --format=yaml --cert=pub-cert.pem < mysecret-secret.yaml > mysecret-sealedsecret.yaml

以下のようなSealedSecretのyamlができます。

mysecret-sealedsecret.yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: mysecret
  namespace: default
spec:
  encryptedData:
    password: AgAzqZ/j3Y+aPSU+paiGfdp3xQxs9tq/0LzL45akvQvOF4GRHVb6c6bGp734s4LOouj6HUix+Ve3XMtQSQhIPe+R3Hh8z+3kkWkhufT0TFH5z0s+NvNXaWkMS2xl2uWs9uVcthtIEvlDTzGIhpti+2jKSd+FZeRD1SJ8hpbgwBuL8xoSuPKJ8yFB7vb0OycBAeTk+/dasoRNLmZKuySauVKHg6ez+vY2yUMY6dkH/6J0jXwpEl0fc0hAOi1AQtVU9rQBCAWxXQK1HviWdv0lfQNsXjdy5xDXeqT1DjNbYKy9TpwjWKAXkUkjjrNhYr9Ih8hopmXDVQYlP5KkAmHWVXuoJjMKr9ndzC8/s8WLRHjJdjlyu9atd7wE3tWDDOZ+bclplQ6Pav+ja28S/YHg7BJciNdG8ms8fKdryv4uoXsnptCde5equQaLZlECreZBpfH9VkS7twTqbzbDtu6dblqHYJCTjXyiJodwEvRzbEli2AlLMbC+c1tGo6T8s2+qlMScOkYaHYAajDntiDKE5iu/VEKAcu6DQSAuTKvdJRSpBJgOVPV33khPrlkhXg13NXAS5kmNpsJmYYHrz2mdieRH6BtfrDGvFTAo4LY6yxsp+oHhyEky9AFqWHYpPDUA0UqizvcIWK+nFECfuJvqpXFcy1xTTskr14tBiTW2J8/FNBQZAAs7vUx74BSeH78P06TLMNxptQ==
    user: AgBrltxpt+16stWlS+KLtJJoRAtpf6a5uiesM0gx7s2/kpLqdUEO8XLMtBdLan2GdTxShzkZqkiFblTW+lhOABbwv1GkTYPiGXcB2IctPNfBP8LIjIsvPzorO5zGupITE6wcFlO8arq64ym3UZ1xquhqQmaYmMlKN9TlK0fOzw64kbkincesa7dvMv0/RRSWi8H45w8XuUToxIbZWHdjY2jCNvjwxf7j4RbZJ4qdc1csl+iw6hWKBvpxyxEvJvziK57SQOGsH+K7DVaHChmpjuCoZOun4sUdUhLJJE5KKigK8pFhUnuI+oeah5FoltOnX6os3qzTD1JIRqK/mg2T1Z+qVsiPTJ2PNSFwPwN8+rvDoazQcInyJThk7fE3jFm/ggQUOx/TVPskRFkvfwsgLBM4EXuIidm/nkkhtVx427Y+oYuzjE/mVhYdm/aSYQKAagnk76rbPq3mlZ2pwhYATq8HJ5BZ/W8/UKtBbj17eBQqDzBLTKmXQQipeM/Tlta1R2MUAUIjheyUKViHdZ1v+WR5IqyXvjfsBV1jrIs9GldMGp9M3bcLuJGxeIf377zxf7DxQubWcaL3tGWqmAXSLraGacvSTPXgr2BaRBbCQwqTTsd7xezrhlWmYzvPCYFo7IIdJFswUzewiqC0228QMjpHLBLUg8Rbh1OIrjyfTWXcdZPa9QTdk8NZsFHaXhqI8s+LGN0Smg==

SealedSecretをクラスターに登録

defaultNamespaceのSecretとSealedSecretを確認します。

$ kubectl get secret -n default
NAME                  TYPE                                  DATA   AGE
default-token-726zt   kubernetes.io/service-account-token   3      90m
$ kubectl get sealedsecret -n default
No resources found.
$

SealedSecretを作成します。

kubectl apply -f mysecret-sealedsecret.yaml

SealedSecetと、Secretが作成されることを確認します。

$ kubectl get secret -n default
NAME                  TYPE                                  DATA   AGE
default-token-726zt   kubernetes.io/service-account-token   3      92m
mysecret              Opaque                                2      35s
$ kubectl get sealedsecret -n default
NAME       AGE
mysecret   44s
$

Secretの内容を確認し、復号されていることを確認します。

$ kubectl get secret -n default mysecret -o yaml
apiVersion: v1
data:
  password: YWRtaW4=
  user: YWRtaW4=
kind: Secret
metadata:
  creationTimestamp: "2019-04-29T15:53:21Z"
  name: mysecret
  namespace: default
  ownerReferences:
  - apiVersion: bitnami.com/v1alpha1
    controller: true
    kind: SealedSecret
    name: mysecret
    uid: e9c83be3-6a96-11e9-a236-0800273bedc2
  resourceVersion: "7220"
  selfLink: /api/v1/namespaces/default/secrets/mysecret
  uid: e9ce139d-6a96-11e9-a236-0800273bedc2
type: Opaque
$

その他

秘密鍵の取得

秘密鍵(と証明書)はSecretになっているので、これをバックアップします。

kubectl get secret -n kube-system sealed-secrets-key -o yaml > sealed-secrets-key.yaml
sealed-secrets-key.yaml
apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVyVENDQXBXZ0F3SUJBZ0lRSFRYYXlvcStJcTkvcnl2MDN0U3I3ekFOQmdrcWhraUc5dzBCQVFzRkFEQUEKTUI0WERURTVNRFF5T1RFMU1ESXlPRm9YRFRJNU1EUXlOakUxTURJeU9Gb3dBRENDQWlJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnSVBBRENDQWdvQ2dnSUJBTVMzRVZGTVZTMGhsSkpLc1hWbmNoRUJhb1RjSDB3ZlhuejJEbE12CnFNUTE3TjgvRDQrdm5xR0l5TUxGKzlLaWtsb2NQOEZRSDZMWVg3R1hab0JqcTF3dHVHbko1R1huZjBWVWRON1QKY2hySXlxNXBlQmpjUndZMWlzNHVoS2Z3V1U0T3lMSW5zd0NONGxseFR0RTRMMzBxS3JPaER5RGNwVU95RVBKbAprdWxZNURESnhNZzRGaE1qY1JUTWVjSXZjVWdjQk5tUmE4aFJRdHZZbTZSTS8xaGRBanpVWlZPNjJhcFd1VFBVCjl2bzcvUm9zQTJaQ1JjRGpEYmxrSDJyeTdHNnM1bVBhejN1aE93SEFMbm12cVJqTzJaRm15Rnd2TEtGUm1LWWEKNXQwQTY0WUNQdTVTV0I0RDE5cE1jUHZQUmJFOStPbk56cmZMQ3duaUVBKzkwYTMwS29LeU9rN2ZKbzNOVmx4RQpmK0VqZDMwVitFYUZnU1FiREdidzBqTlZEZVQ1R0NKQU5JMXBiZExCeThaUWFEQlU0dklTektMNy80d2EzdVRiCkEyUkg0VEFwZlEwY2pscGRnTFd4QmhTaEh3TDlXSmVqSnMyeVIvcHI5VW90aXpPVy91amlnMWR5RGJ4eEFLdGYKMjNwSlhZYWs4ZnFwcCtiSE5FQm1HcmF2ZDFIV3BETHdRbzVwL3BvckRZK0Qrc1V5RUN2OUxMeTRBQ1k3NzU2agpoUENhQkhwRDBJWW1vN2hQR1daYTdLb0NweXBWVnpvR0ZNZmJ2RVBTbDN5QlZLWElhR0pWS3BIK2xicVIwcUN3Ck9BT21NaHU2OWVpRTJRR3hsbG1WMWdndDdseGIvNkJxanU2bW43ODdFSVNhUjV6YWxwdk8zNVE0aWJyVWNJcmMKZWVYUkFnTUJBQUdqSXpBaE1BNEdBMVVkRHdFQi93UUVBd0lBQVRBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQzc5WEw0U1R6Y0sxME5uK2ZpanhsdjZlM0dOdzFMaWN5K2UvYXgzNGdWCkJTRUtOdU1IeW43eEJGK3lIQXV0bUlxNHpQczc5V001c0hwQ3hGZysrOW1NL2l3SXllbXVpVFAyZXB5RnY2c3UKVXVXdTlicGs2Y2FuTDBQdjNKYW5qNmxkeU9kMERkbVMrak8wM0lhS3BtRy93R1dnWEFvYlhtT09TVnh4b1F6VQpRWGNDQ1kvQ3dLSCtRbWJuUXZSN2c3THhpSG1OVzlPdTZXQ29Ua01vTm94WkZuVlZyN3lIWlRrakt6SngrZU8wCnZGZnMxYVJ4QzBOMFpCZFl4SUFpdGJjYXRTUXRvaE02VUVvL0ZCaGlocnNtZkdKWmxRbzdzdzRVOExaNjR3eXEKcU5WZzl4amFNZzhNMXdHcFFjd244dkVmWnI1NStTcHUvL1VxQkx3MDJpcElhaVNYVVo2bkdaMHNDMUVJNzd2bApQblJKVHI0MXZ3RDV0UTVJWlBzMEZKZWV6TG5VT1lCc2tWR0lXaGxzVW5SdEQ0aFZFaEk5TW5ZcUM4TDAxbFIvCjh1ejd2WHBRRlBzVFF5Yjd0dzVtS3J5NU91RFpOT1picUlsa2F2dCtXZExTSGpianlqbFU0NTVVREhiOCt5VGIKQTFzSEdBYjlBakFXdjBEejJFbHpZNjAyWk9IUGRyZkNkUjkydFczNDh5U0FLNUlnckdVbWc0OGxaZUdUaW1vRQpzWXRNVXFiaXBGRVRydXdtYTJhMnM5TUZHZmVPNHFEWkFBdHkzZXRPV2dTaWIwaWMvbCt2bUh3K1pGamRtZS8zCkxPYUdxOWNBbUkwbmJzai90THgrbG9jQU9WRVBiRVZvVTVGa0Y3a1hWcmlmQmJhZlhTVVdFMFgzVzlOY0JLeXAKeVE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBeExjUlVVeFZMU0dVa2txeGRXZHlFUUZxaE53ZlRCOWVmUFlPVXkrb3hEWHMzejhQCmo2K2VvWWpJd3NYNzBxS1NXaHcvd1ZBZm90aGZzWmRtZ0dPclhDMjRhY25rWmVkL1JWUjAzdE55R3NqS3JtbDQKR054SEJqV0t6aTZFcC9CWlRnN0lzaWV6QUkzaVdYRk8wVGd2ZlNvcXM2RVBJTnlsUTdJUThtV1M2VmprTU1uRQp5RGdXRXlOeEZNeDV3aTl4U0J3RTJaRnJ5RkZDMjlpYnBFei9XRjBDUE5SbFU3clpxbGE1TTlUMitqdjlHaXdEClprSkZ3T01OdVdRZmF2THNicXptWTlyUGU2RTdBY0F1ZWErcEdNN1prV2JJWEM4c29WR1lwaHJtM1FEcmhnSSsKN2xKWUhnUFgya3h3Kzg5RnNUMzQ2YzNPdDhzTENlSVFENzNScmZRcWdySTZUdDhtamMxV1hFUi80U04zZlJYNApSb1dCSkJzTVp2RFNNMVVONVBrWUlrQTBqV2x0MHNITHhsQm9NRlRpOGhMTW92di9qQnJlNU5zRFpFZmhNQ2w5CkRSeU9XbDJBdGJFR0ZLRWZBdjFZbDZNbXpiSkgrbXYxU2kyTE01Yis2T0tEVjNJTnZIRUFxMS9iZWtsZGhxVHgKK3FtbjVzYzBRR1lhdHE5M1VkYWtNdkJDam1uK21pc05qNFA2eFRJUUsvMHN2TGdBSmp2dm5xT0U4Sm9FZWtQUQpoaWFqdUU4WlpscnNxZ0tuS2xWWE9nWVV4OXU4UTlLWGZJRlVwY2hvWWxVcWtmNlZ1cEhTb0xBNEE2WXlHN3IxCjZJVFpBYkdXV1pYV0NDM3VYRnYvb0dxTzdxYWZ2enNRaEpwSG5OcVdtODdmbERpSnV0UndpdHg1NWRFQ0F3RUEKQVFLQ0FnRUFqWVdiR3Q4TXhGeE5VL1lTdDRGRnFnQlh6dC9DVUhTYytNL1l2SFlrTjQwSUxoQmpOSjlIUTdWeApvZGJuOWNEcUE1UWhOZ1ZielQ5WGtSOTRLZFFLMjFVMVFENTBaKy9sTzA2b2lncWJJN1BqUlJreHdzanUvQU9YCktnQ0RoWUsvN1ExcnkrZ051czlZMGJwWDF1TlNIdjB3SFcwNHdnNmJneGxmWWRRN25rOUtVK05GQkRwOWZ5VlgKWEh4QytMWkRESHJEN25iVmtSY05QN2NWT2wzK3NtYXZqbTNMdkRKSUdHa3Q4cUU3VWduSWJJVFBxVWp5Zi9PWgowdys2SHFwSCtOUEJLSU9xRTZxS0ZoZGFHRWVOSXdEbHU5cXpPTWJqbCtkcEo4OWcyZ3lvWlEvR2tKU0RPb3pQClJRa0xtODJodVFMNXlkTTc3alJRYTdyTWpWYWx1dnBFckxTL3g1OTNLL2l1bUtXVUdiaEpDWU82UlRMN0h6dDAKMkRzcUpPTHVRN2U2RUhEQXp5MGhhSXh6RTFlaHMvdGtxWS9pY2YxaGFOQ2ZwdjN4WEtML2xWejdKOWpYbnpscwpHN00yWWdUUVpDejREN3AxekVIQVpwZklCY1dQQ2dVeVhqTllPdzhyRDI1VGNiampkTHMrOXlYZUo0Wnh2RDd3CnkrOTdJZnRtWDBEbkh4YzVrcjV6ckJURTlpamo0a21oeUhtbW1kd0svdkpUOWJ6M2RrUk5ZVXZHNnNUQW9aWmsKcm94cWdjT3NCdnEwUE1TT0pwbktncnhDSU9EWkRwZG1UdDQvZUdRaDN5TXQxWko0N3BVNWErY3ZIREhiZVQ3VgpPcXVDUHMwNFgvZXh0TlFTV3BydjdxYjArNnBBQ1UyaStEdlAreWxFbEZvb2FranM4REVDZ2dFQkFPZitsbmJvCnp2SmhHWnZoTkxLdGcyRzhDeHJXdkJ2aGgvSS84bmFmU2FITEJIYXBiN2lSZnJ6SmlkK1A0Ti8wN3c1ZUR5NnEKdGQ0aDg4ai8zR09zd2p2emY2eFQ2V2pqakRkakJiam5WWERsTHVCM0RiUHE4WWZ3WmwyM1N2Y1BMMHlQRHUzWQpXelFSTElhazhUWTVlNXZRaTJZWTAzK3BLNW1oZUdFNVg1Y2wyRUFLWkFRTTFmQi9MZnpubVFyaC9wUjlZWDdtCjlQUG42Vis1RS9mcXZEK0tDLzlhL1VkTFVDN2xjczZXc1NzRjBRc0FtcjVvMEZrc0NWeGdBRGlscFNMcGc1QkkKVFJLWjRkTllZbG5BdURJN0xwcDhVSWFxeFJoTVZpRi9XM0VrZkZUV0d1YlV6b0c2Rjhhdm0zajlrdVBwWkFiZQpiYXRpMEQ4ZExLRUNGN1VDZ2dFQkFOa1I4cDY3U3hsWmNpeVc4bE40T2xmRkFKNGp0b0ZGNXF3SUZENCtSWFhDCloyQVIxdXVEVThBQmhKMlAveEx2b0p6N1hhRXVIY25iVXdtNXhETzZKNEp3WmtlUldjSkdsSHNkVG9BMUFHRm0KUm5sMFRzOE9JTWw5cDN0VEtKS0VZWENMam5RT0EzWVp6WDd2TjJxSmhwVVRZNUN5b0x3Z01naWJ3elpkZmFjdwowc0JwZnV2UXVDMERvc0dUN3llZFZxVERCWUZTMTFjS3d2UUM4RDMrZUxsanRjWTdFTmo4TUVzS2ZjVFVtWjlkClQvcm05eVh5NzZ6b2YvZWdYNmpDdWRJQ0NYSzNTUHJaUEtqQS9LL1ZtMFJtdWZSK3hCMHNydXcxRXdHWWE0ZnEKQ2Z6TjVsTlExNDlKZnVtVUR6dlI0UVB0eFdSSWkyTnkzaG9pZy8rcnJ5MENnZ0VBQXJqaENSb29PMzNhTUJNUApiRDFPK2xtYmc4QWJTdlIxaE9rdExpa21Vd2l2ejdpalAvWXRGNGdCM3lhd0M5Q3k4V2MzSkdRS2FFWGJ0M01SCklmWkgvUzRaUkd0anBNQnV4OE9Zc0plK1QrblFoLys5b0d2VVU3VUZibm9WSGhzR2dnNTNyV0RKaVMzZWFPSU0KbG9kTUpRTG9iOVZBdmhHOUdqdGp6emcrSCtib3g2K1hodGlqdGdPNEJXeXVSZ3RxMGxFNlVLUGpJZTJKdG43VQpkaWRCK0RqbGRTU2JMamY3QStIYlhBTTJwdnVWZlZ5UGRFYUVrMWRKOE5TTGpCNmRkbkJwQTh0bFpCOThIOSs4Cm43TDhObEt0ZEZDYkhVbHBzS1JNcW0zMUk3bTYzNy8zWnRmK2FGVkhyQ1FwWGQwVDJTckc2ckczZGJoZUd5OTcKYzVRenRRS0NBUUE4eEx5Q1dYYVZ1eWV1ZWZlUERJcHd4ZEw5Y293R05yWjBGTEx1RmVyR0k4MWk1THVoSlJ2TwpGZDYxYVhtRUtKZHpPeCtrSHMveUViZDJjbzROMlNCMGNOa0JVaHlwdWE2WnBNTzBPcUpIb2lVNm5TZnU2VXFlCmZkSGtRWXlMTUFwRFFwNTN1UENaSUhJYUJnZ2lpQ3VvRWt4K1ZyT08xd2lLeG1ocEVOVTdkL3lZSnpDRC9lT0IKbnBIeTFXSlBXY25HeUY0RExWamhvajZmcHk3d2ZBdjZBb01CNHNrOXBhUXpiZFYxdy9yWjFYcXRoL2xLbzI4YgpuZDh0U0xWZS9seWRBVHI1NVh2RjFna1lTU2EwWnYxWHNkWi9Mdm5pSFA4L1cwQmQ0dmkvalBLTTFtdVRpWDgvCk90a1B0UVpxdmIvYnBMWHM5QzRwZ2gvUmV6WXUzalpsQW9JQkFRQ3NjWE5odzVkQ1FPbW83cmluSC9kV2hWeGYKbnZJVlFLS0ZpZVR5S2pQZ05Fb2MzamRBNkRVK1F2TG5qQUFncERyYWlKNTJrTm9MaGw2bGpMbldnQWtuZjNiWgpERkZ3RW9nV2tqa0I5dGt4eUNKNFIyM3pyWjJWeVF2bXNuUUZOOExoSnl5V0xkcytNbjBBWjFiVktkc0hyVXBNCjZFQ1lHRyt0RlpWTFoveXpHUk9xRG5lcGFRejEyTmFqNlh0SmpGbWx4M3VpUkpTSkdhNksxT1BTejExWFhDNlEKK3lFSFBOR0FaVnNxWnhCN1RCS09EdnBOZm9HQThnWllWbWh5dDVEWHpWUWkvdm5JQ2VYb05zWnZ6S2Z1SEkwZQo4T3czYUQ1ZHNzdThtL1BUTFVyclltdVl3MzVULytrTitVVGw3bzRkeWxMVzZQMnVLNnV6bTk5NEZQU0IKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
kind: Secret
metadata:
  creationTimestamp: "2019-04-29T15:02:28Z"
  name: sealed-secrets-key
  namespace: kube-system
  resourceVersion: "3499"
  selfLink: /api/v1/namespaces/kube-system/secrets/sealed-secrets-key
  uid: ce63cc15-6a8f-11e9-a236-0800273bedc2
type: kubernetes.io/tls

秘密鍵と証明書(公開鍵)のデータをデコードして確認するには以下のようにします。

# 秘密鍵
kubectl get secret -n kube-system sealed-secrets-key -o json | jq -r '.data["tls.key"]' | base64 --decode
# 証明書(公開鍵)
kubectl get secret -n kube-system sealed-secrets-key -o json | jq -r '.data["tls.crt"]' | base64 --decode

秘密鍵をリストアするときはバックアップしたyamlをreplaceし、コントローラーのPodを再起動します。

kubectl replace secret -n kube-system sealed-secrets-key -f sealed-secrets-key.yaml
kubectl delete pod -n kube-system -l app.kubernetes.io/name=sealed-secrets

参考リンク

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away