KubernetesでGitOpsを実践しようと思ったとき、Secretをどのように管理するべきか疑問に思います。Secretは単にbase64でエンコードされているだけなので、PublicなGitHubリポジトリにそのままあげるわけにはいきません。
解決策はいくつかあると思いますが、GitOpsの提唱者であるWeaveworksはFAQでひとつの解決策としてSealdSecretをあげています。どのような動作なのかMinikubeで確認してみます。
以下の環境で確認しました。
| コンポーネント | バージョン |
|---|---|
| Minikube | v1.0.0 |
| Kubernetes | v1.14.0 |
| Helm | v2.13.1 |
| sealed-secretチャート | 1.0.2 |
| sealed-secret | 0.7.0 |
仕組み
SealedSecretはBitnamiが開発するOSSです。いわゆるCRD(Custom Resource Definition)で、クラスター内ではこのCRDを管理するSealedSecret Controllerを稼働させます。SealedSecretは公開鍵暗号を使用します。コントローラーが秘密鍵を持ちます。ユーザーは公開鍵を使ってSecretを暗号化してSealdSecretをリソースを作成します。SealdSecretリソースをクラスター内に作成すると、コントローラーがSealdSecretを復号し、Secretを作成します。
クラスターの中で復号が行われるのが特徴的なところで、Weaveworksの提唱するpull型のGitOpsの場合はこのような方法がマッチするのだろうと思います。push型のGitOpsの場合はkubesecのようなツールで復号してからkubectl applyするのでもよいかもしれません。
導入
Minikubeの起動
Minikubeを起動します。
コマンド
minikube start
実行例
$ minikube start
😄 minikube v1.0.0 on darwin (amd64)
🤹 Downloading Kubernetes v1.14.0 images in the background ...
🔥 Creating virtualbox VM (CPUs=2, Memory=2048MB, Disk=20000MB) ...
💿 Downloading Minikube ISO ...
142.88 MB / 142.88 MB [============================================] 100.00% 0s
📶 "minikube" IP address is 192.168.99.122
🐳 Configuring Docker as the container runtime ...
🐳 Version of container runtime is 18.06.2-ce
⌛ Waiting for image downloads to complete ...
✨ Preparing Kubernetes environment ...
💾 Downloading kubelet v1.14.0
💾 Downloading kubeadm v1.14.0
🚜 Pulling images required by Kubernetes v1.14.0 ...
🚀 Launching Kubernetes v1.14.0 using kubeadm ...
⌛ Waiting for pods: apiserver proxy etcd scheduler controller dns
🔑 Configuring cluster permissions ...
🤔 Verifying component health .....
💗 kubectl is now configured to use "minikube"
🏄 Done! Thank you for using minikube!
$
Helmのインストール
Sealed Secret Controllerは公式サイトの手順の通りyamlをkubectl applyすることでも導入できますが、Helmでも導入できます。今回はHelmを使いたいので、Helmを使えるようにします。
helmを初期化し、クラスターにtillerを導入します。
コマンド
helm init
実行例
$ helm init
$HELM_HOME has been configured at /Users/sotoiwa/.helm.
Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.
Please note: by default, Tiller is deployed with an insecure 'allow unauthenticated users' policy.
To prevent this, run `helm init` with the --tiller-tls-verify flag.
For more information on securing your installation see: https://docs.helm.sh/using_helm/#securing-your-helm-installation
Happy Helming!
$
SealedSecret Controllerのインストール
sealed-secretのチャートを確認します。
コマンド
helm repo update
helm search sealed-secret
helm inspect values stable/sealed-secrets
実行例
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈
$ helm search sealed-secret
NAME CHART VERSION APP VERSION DESCRIPTION
stable/sealed-secrets 1.0.2 0.7.0 A Helm chart for Sealed Secrets
$
チャートのパラメータを確認します。
コマンド
helm inspect values stable/sealed-secrets
実行例
$ helm inspect values stable/sealed-secrets
image:
repository: quay.io/bitnami/sealed-secrets-controller
tag: v0.7.0
pullPolicy: IfNotPresent
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
serviceAccount:
# serviceAccount.create: Whether to create a service account or not
create: true
# serviceAccount.name: The name of the service account to create or use
name: ""
rbac:
# rbac.create: `true` if rbac resources should be created
create: true
# secretName: The name of the TLS secret containing the key used to encrypt secrets
secretName: "sealed-secrets-key"
crd:
# crd.create: `true` if the crd resources should be created
create: true
# crd.keep: `true` if the sealed secret CRD should be kept when the chart is deleted
keep: true
$
特にカスタマイズが必要なパラメータもなさそうです。yamlで導入する場合のデフォルトの導入先がkube-systemなので、それにならって導入先のNamespaceにはkube-systemを指定してインストールします。
コマンド
helm install --name sealed-secrets \
--namespace kube-system \
stable/sealed-secrets
実行例
$ helm install --name sealed-secrets \
> --namespace kube-system \
> stable/sealed-secrets
NAME: sealed-secrets
LAST DEPLOYED: Tue Apr 30 00:02:19 2019
NAMESPACE: kube-system
STATUS: DEPLOYED
RESOURCES:
==> v1/ClusterRole
NAME AGE
secrets-unsealer 0s
==> v1/ClusterRoleBinding
NAME AGE
sealed-secrets 0s
==> v1/Deployment
NAME READY UP-TO-DATE AVAILABLE AGE
sealed-secrets 0/1 1 0 0s
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
sealed-secrets-7d9f58567c-z9p62 0/1 ContainerCreating 0 0s
==> v1/Role
NAME AGE
sealed-secrets-key-admin 0s
==> v1/RoleBinding
NAME AGE
sealed-secrets 0s
==> v1/Service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
sealed-secrets ClusterIP 10.107.197.241 <none> 8080/TCP 0s
==> v1/ServiceAccount
NAME SECRETS AGE
sealed-secrets 1 0s
==> v1beta1/CustomResourceDefinition
NAME AGE
sealedsecrets.bitnami.com 0s
NOTES:
You should now be able to create sealed secrets.
1. Install client-side tool into /usr/local/bin/
GOOS=$(go env GOOS)
GOARCH=$(go env GOARCH)
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/$release/kubeseal-$GOOS-$GOARCH
sudo install -m 755 kubeseal-$GOOS-$GOARCH /usr/local/bin/kubeseal
2. Create a sealed secret file
# note the use of `--dry-run` - this does not create a secret in your cluster
kubectl create secret generic secret-name --dry-run --from-literal=foo=bar -o [json|yaml] | kubeseal --format [json|yaml] > mysealedsecret.[json|yaml]
The file mysealedsecret.[json|yaml] is a commitable file.
If you would rather not need access to the cluster to generate the sealed secret you can run
kubeseal --fetch-cert > mycert.pem
to retrieve the public cert used for encryption and store it locally. You can then run 'kubeseal --cert mycert.pem' instead to use the local cert e.g.
kubectl create secret generic secret-name --dry-run --from-literal=foo=bar -o [json|yaml] | kubeseal --format [json|yaml] --cert mycert.pem > mysealedsecret.[json|yaml]
3. Apply the sealed secret
kubectl create -f mysealedsecret.[json|yaml]
Running 'kubectl get secret secret-name -o [json|yaml]' will show the decrypted secret that was generated from the sealed secret.
Both the SealedSecret and generated Secret must have the same name and namespace.
$
使い方
使い方はhelmのインストール時のメッセージにだいたい書いてあります。
kubesealの導入
kubeseal CLIを導入します。Macの場合はHomebrewで入ります。Linuxの場合はここからバイナリをダウンロードしてきて/usr/local/binとかにおきます。
コマンド
brew install kubeseal
実行例
$ brew install kubeseal
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 1 tap (homebrew/cask).
No changes to formulae.
==> Downloading https://homebrew.bintray.com/bottles/kubeseal-0.7.0.mojave.bottle.tar.gz
==> Downloading from https://akamai.bintray.com/99/99ee78122f26f43c836cf29fa746138997896df6b4a01bd3dce9a4b6525cb267?__gda__=exp=1556551076~hmac=0fc854f5620592b5ff699125caa794c7c9633b68bf52c0d5245a24b418
######################################################################## 100.0%
==> Pouring kubeseal-0.7.0.mojave.bottle.tar.gz
🍺 /usr/local/Cellar/kubeseal/0.7.0: 3 files, 26.7MB
$
証明書(公開鍵)の取得
クラスターで稼働するコントローラーから公開鍵を取得します。
コマンド
kubeseal --fetch-cert \
--controller-namespace=kube-system \
--controller-name=sealed-secrets \
> pub-cert.pem
取得した証明書(公開鍵)を確認します。
$ ls -l | grep pub-cert.pem
-rw-r--r-- 1 sotoiwa staff 1684 4 30 00:10 pub-cert.pem
$ cat pub-cert.pem
-----BEGIN CERTIFICATE-----
MIIErTCCApWgAwIBAgIQHTXayoq+Iq9/ryv03tSr7zANBgkqhkiG9w0BAQsFADAA
MB4XDTE5MDQyOTE1MDIyOFoXDTI5MDQyNjE1MDIyOFowADCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAMS3EVFMVS0hlJJKsXVnchEBaoTcH0wfXnz2DlMv
qMQ17N8/D4+vnqGIyMLF+9KiklocP8FQH6LYX7GXZoBjq1wtuGnJ5GXnf0VUdN7T
chrIyq5peBjcRwY1is4uhKfwWU4OyLInswCN4llxTtE4L30qKrOhDyDcpUOyEPJl
kulY5DDJxMg4FhMjcRTMecIvcUgcBNmRa8hRQtvYm6RM/1hdAjzUZVO62apWuTPU
9vo7/RosA2ZCRcDjDblkH2ry7G6s5mPaz3uhOwHALnmvqRjO2ZFmyFwvLKFRmKYa
5t0A64YCPu5SWB4D19pMcPvPRbE9+OnNzrfLCwniEA+90a30KoKyOk7fJo3NVlxE
f+Ejd30V+EaFgSQbDGbw0jNVDeT5GCJANI1pbdLBy8ZQaDBU4vISzKL7/4wa3uTb
A2RH4TApfQ0cjlpdgLWxBhShHwL9WJejJs2yR/pr9UotizOW/ujig1dyDbxxAKtf
23pJXYak8fqpp+bHNEBmGravd1HWpDLwQo5p/porDY+D+sUyECv9LLy4ACY7756j
hPCaBHpD0IYmo7hPGWZa7KoCpypVVzoGFMfbvEPSl3yBVKXIaGJVKpH+lbqR0qCw
OAOmMhu69eiE2QGxllmV1ggt7lxb/6Bqju6mn787EISaR5zalpvO35Q4ibrUcIrc
eeXRAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwIAATAPBgNVHRMBAf8EBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4ICAQC79XL4STzcK10Nn+fijxlv6e3GNw1Licy+e/ax34gV
BSEKNuMHyn7xBF+yHAutmIq4zPs79WM5sHpCxFg++9mM/iwIyemuiTP2epyFv6su
UuWu9bpk6canL0Pv3Janj6ldyOd0DdmS+jO03IaKpmG/wGWgXAobXmOOSVxxoQzU
QXcCCY/CwKH+QmbnQvR7g7LxiHmNW9Ou6WCoTkMoNoxZFnVVr7yHZTkjKzJx+eO0
vFfs1aRxC0N0ZBdYxIAitbcatSQtohM6UEo/FBhihrsmfGJZlQo7sw4U8LZ64wyq
qNVg9xjaMg8M1wGpQcwn8vEfZr55+Spu//UqBLw02ipIaiSXUZ6nGZ0sC1EI77vl
PnRJTr41vwD5tQ5IZPs0FJeezLnUOYBskVGIWhlsUnRtD4hVEhI9MnYqC8L01lR/
8uz7vXpQFPsTQyb7tw5mKry5OuDZNOZbqIlkavt+WdLSHjbjyjlU455UDHb8+yTb
A1sHGAb9AjAWv0Dz2ElzY602ZOHPdrfCdR92tW348ySAK5IgrGUmg48lZeGTimoE
sYtMUqbipFETruwma2a2s9MFGfeO4qDZAAty3etOWgSib0ic/l+vmHw+ZFjdme/3
LOaGq9cAmI0nbsj/tLx+locAOVEPbEVoU5FkF7kXVrifBbafXSUWE0X3W9NcBKyp
yQ==
-----END CERTIFICATE-----
$
Secretの暗号化
--dry-runオプションを使って、Secretリソースのyamlファイルを作成します。
kubectl -n default create secret generic mysecret \
--from-literal=user=admin \
--from-literal=password=admin \
--dry-run \
-o yaml > mysecret-secret.yaml
以下のようなSecretのyamlができます。
mysecret-secret.yaml
apiVersion: v1
data:
password: YWRtaW4=
user: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: null
name: mysecret
namespace: default
kubesealコマンドで、証明書(公開鍵)を指定してSecretからSealdSecretを作成します。ちなみにyamlでもjsonでも扱えます。
kubeseal --format=yaml --cert=pub-cert.pem < mysecret-secret.yaml > mysecret-sealedsecret.yaml
以下のようなSealedSecretのyamlができます。
mysecret-sealedsecret.yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: mysecret
namespace: default
spec:
encryptedData:
password: AgAzqZ/j3Y+aPSU+paiGfdp3xQxs9tq/0LzL45akvQvOF4GRHVb6c6bGp734s4LOouj6HUix+Ve3XMtQSQhIPe+R3Hh8z+3kkWkhufT0TFH5z0s+NvNXaWkMS2xl2uWs9uVcthtIEvlDTzGIhpti+2jKSd+FZeRD1SJ8hpbgwBuL8xoSuPKJ8yFB7vb0OycBAeTk+/dasoRNLmZKuySauVKHg6ez+vY2yUMY6dkH/6J0jXwpEl0fc0hAOi1AQtVU9rQBCAWxXQK1HviWdv0lfQNsXjdy5xDXeqT1DjNbYKy9TpwjWKAXkUkjjrNhYr9Ih8hopmXDVQYlP5KkAmHWVXuoJjMKr9ndzC8/s8WLRHjJdjlyu9atd7wE3tWDDOZ+bclplQ6Pav+ja28S/YHg7BJciNdG8ms8fKdryv4uoXsnptCde5equQaLZlECreZBpfH9VkS7twTqbzbDtu6dblqHYJCTjXyiJodwEvRzbEli2AlLMbC+c1tGo6T8s2+qlMScOkYaHYAajDntiDKE5iu/VEKAcu6DQSAuTKvdJRSpBJgOVPV33khPrlkhXg13NXAS5kmNpsJmYYHrz2mdieRH6BtfrDGvFTAo4LY6yxsp+oHhyEky9AFqWHYpPDUA0UqizvcIWK+nFECfuJvqpXFcy1xTTskr14tBiTW2J8/FNBQZAAs7vUx74BSeH78P06TLMNxptQ==
user: AgBrltxpt+16stWlS+KLtJJoRAtpf6a5uiesM0gx7s2/kpLqdUEO8XLMtBdLan2GdTxShzkZqkiFblTW+lhOABbwv1GkTYPiGXcB2IctPNfBP8LIjIsvPzorO5zGupITE6wcFlO8arq64ym3UZ1xquhqQmaYmMlKN9TlK0fOzw64kbkincesa7dvMv0/RRSWi8H45w8XuUToxIbZWHdjY2jCNvjwxf7j4RbZJ4qdc1csl+iw6hWKBvpxyxEvJvziK57SQOGsH+K7DVaHChmpjuCoZOun4sUdUhLJJE5KKigK8pFhUnuI+oeah5FoltOnX6os3qzTD1JIRqK/mg2T1Z+qVsiPTJ2PNSFwPwN8+rvDoazQcInyJThk7fE3jFm/ggQUOx/TVPskRFkvfwsgLBM4EXuIidm/nkkhtVx427Y+oYuzjE/mVhYdm/aSYQKAagnk76rbPq3mlZ2pwhYATq8HJ5BZ/W8/UKtBbj17eBQqDzBLTKmXQQipeM/Tlta1R2MUAUIjheyUKViHdZ1v+WR5IqyXvjfsBV1jrIs9GldMGp9M3bcLuJGxeIf377zxf7DxQubWcaL3tGWqmAXSLraGacvSTPXgr2BaRBbCQwqTTsd7xezrhlWmYzvPCYFo7IIdJFswUzewiqC0228QMjpHLBLUg8Rbh1OIrjyfTWXcdZPa9QTdk8NZsFHaXhqI8s+LGN0Smg==
SealedSecretをクラスターに登録
defaultNamespaceのSecretとSealedSecretを確認します。
$ kubectl get secret -n default
NAME TYPE DATA AGE
default-token-726zt kubernetes.io/service-account-token 3 90m
$ kubectl get sealedsecret -n default
No resources found.
$
SealedSecretを作成します。
kubectl apply -f mysecret-sealedsecret.yaml
SealedSecetと、Secretが作成されることを確認します。
$ kubectl get secret -n default
NAME TYPE DATA AGE
default-token-726zt kubernetes.io/service-account-token 3 92m
mysecret Opaque 2 35s
$ kubectl get sealedsecret -n default
NAME AGE
mysecret 44s
$
Secretの内容を確認し、復号されていることを確認します。
$ kubectl get secret -n default mysecret -o yaml
apiVersion: v1
data:
password: YWRtaW4=
user: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: "2019-04-29T15:53:21Z"
name: mysecret
namespace: default
ownerReferences:
- apiVersion: bitnami.com/v1alpha1
controller: true
kind: SealedSecret
name: mysecret
uid: e9c83be3-6a96-11e9-a236-0800273bedc2
resourceVersion: "7220"
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: e9ce139d-6a96-11e9-a236-0800273bedc2
type: Opaque
$
その他
秘密鍵の取得
秘密鍵(と証明書)はSecretになっているので、これをバックアップします。
kubectl get secret -n kube-system sealed-secrets-key -o yaml > sealed-secrets-key.yaml
sealed-secrets-key.yaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVyVENDQXBXZ0F3SUJBZ0lRSFRYYXlvcStJcTkvcnl2MDN0U3I3ekFOQmdrcWhraUc5dzBCQVFzRkFEQUEKTUI0WERURTVNRFF5T1RFMU1ESXlPRm9YRFRJNU1EUXlOakUxTURJeU9Gb3dBRENDQWlJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnSVBBRENDQWdvQ2dnSUJBTVMzRVZGTVZTMGhsSkpLc1hWbmNoRUJhb1RjSDB3ZlhuejJEbE12CnFNUTE3TjgvRDQrdm5xR0l5TUxGKzlLaWtsb2NQOEZRSDZMWVg3R1hab0JqcTF3dHVHbko1R1huZjBWVWRON1QKY2hySXlxNXBlQmpjUndZMWlzNHVoS2Z3V1U0T3lMSW5zd0NONGxseFR0RTRMMzBxS3JPaER5RGNwVU95RVBKbAprdWxZNURESnhNZzRGaE1qY1JUTWVjSXZjVWdjQk5tUmE4aFJRdHZZbTZSTS8xaGRBanpVWlZPNjJhcFd1VFBVCjl2bzcvUm9zQTJaQ1JjRGpEYmxrSDJyeTdHNnM1bVBhejN1aE93SEFMbm12cVJqTzJaRm15Rnd2TEtGUm1LWWEKNXQwQTY0WUNQdTVTV0I0RDE5cE1jUHZQUmJFOStPbk56cmZMQ3duaUVBKzkwYTMwS29LeU9rN2ZKbzNOVmx4RQpmK0VqZDMwVitFYUZnU1FiREdidzBqTlZEZVQ1R0NKQU5JMXBiZExCeThaUWFEQlU0dklTektMNy80d2EzdVRiCkEyUkg0VEFwZlEwY2pscGRnTFd4QmhTaEh3TDlXSmVqSnMyeVIvcHI5VW90aXpPVy91amlnMWR5RGJ4eEFLdGYKMjNwSlhZYWs4ZnFwcCtiSE5FQm1HcmF2ZDFIV3BETHdRbzVwL3BvckRZK0Qrc1V5RUN2OUxMeTRBQ1k3NzU2agpoUENhQkhwRDBJWW1vN2hQR1daYTdLb0NweXBWVnpvR0ZNZmJ2RVBTbDN5QlZLWElhR0pWS3BIK2xicVIwcUN3Ck9BT21NaHU2OWVpRTJRR3hsbG1WMWdndDdseGIvNkJxanU2bW43ODdFSVNhUjV6YWxwdk8zNVE0aWJyVWNJcmMKZWVYUkFnTUJBQUdqSXpBaE1BNEdBMVVkRHdFQi93UUVBd0lBQVRBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQzc5WEw0U1R6Y0sxME5uK2ZpanhsdjZlM0dOdzFMaWN5K2UvYXgzNGdWCkJTRUtOdU1IeW43eEJGK3lIQXV0bUlxNHpQczc5V001c0hwQ3hGZysrOW1NL2l3SXllbXVpVFAyZXB5RnY2c3UKVXVXdTlicGs2Y2FuTDBQdjNKYW5qNmxkeU9kMERkbVMrak8wM0lhS3BtRy93R1dnWEFvYlhtT09TVnh4b1F6VQpRWGNDQ1kvQ3dLSCtRbWJuUXZSN2c3THhpSG1OVzlPdTZXQ29Ua01vTm94WkZuVlZyN3lIWlRrakt6SngrZU8wCnZGZnMxYVJ4QzBOMFpCZFl4SUFpdGJjYXRTUXRvaE02VUVvL0ZCaGlocnNtZkdKWmxRbzdzdzRVOExaNjR3eXEKcU5WZzl4amFNZzhNMXdHcFFjd244dkVmWnI1NStTcHUvL1VxQkx3MDJpcElhaVNYVVo2bkdaMHNDMUVJNzd2bApQblJKVHI0MXZ3RDV0UTVJWlBzMEZKZWV6TG5VT1lCc2tWR0lXaGxzVW5SdEQ0aFZFaEk5TW5ZcUM4TDAxbFIvCjh1ejd2WHBRRlBzVFF5Yjd0dzVtS3J5NU91RFpOT1picUlsa2F2dCtXZExTSGpianlqbFU0NTVVREhiOCt5VGIKQTFzSEdBYjlBakFXdjBEejJFbHpZNjAyWk9IUGRyZkNkUjkydFczNDh5U0FLNUlnckdVbWc0OGxaZUdUaW1vRQpzWXRNVXFiaXBGRVRydXdtYTJhMnM5TUZHZmVPNHFEWkFBdHkzZXRPV2dTaWIwaWMvbCt2bUh3K1pGamRtZS8zCkxPYUdxOWNBbUkwbmJzai90THgrbG9jQU9WRVBiRVZvVTVGa0Y3a1hWcmlmQmJhZlhTVVdFMFgzVzlOY0JLeXAKeVE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBeExjUlVVeFZMU0dVa2txeGRXZHlFUUZxaE53ZlRCOWVmUFlPVXkrb3hEWHMzejhQCmo2K2VvWWpJd3NYNzBxS1NXaHcvd1ZBZm90aGZzWmRtZ0dPclhDMjRhY25rWmVkL1JWUjAzdE55R3NqS3JtbDQKR054SEJqV0t6aTZFcC9CWlRnN0lzaWV6QUkzaVdYRk8wVGd2ZlNvcXM2RVBJTnlsUTdJUThtV1M2VmprTU1uRQp5RGdXRXlOeEZNeDV3aTl4U0J3RTJaRnJ5RkZDMjlpYnBFei9XRjBDUE5SbFU3clpxbGE1TTlUMitqdjlHaXdEClprSkZ3T01OdVdRZmF2THNicXptWTlyUGU2RTdBY0F1ZWErcEdNN1prV2JJWEM4c29WR1lwaHJtM1FEcmhnSSsKN2xKWUhnUFgya3h3Kzg5RnNUMzQ2YzNPdDhzTENlSVFENzNScmZRcWdySTZUdDhtamMxV1hFUi80U04zZlJYNApSb1dCSkJzTVp2RFNNMVVONVBrWUlrQTBqV2x0MHNITHhsQm9NRlRpOGhMTW92di9qQnJlNU5zRFpFZmhNQ2w5CkRSeU9XbDJBdGJFR0ZLRWZBdjFZbDZNbXpiSkgrbXYxU2kyTE01Yis2T0tEVjNJTnZIRUFxMS9iZWtsZGhxVHgKK3FtbjVzYzBRR1lhdHE5M1VkYWtNdkJDam1uK21pc05qNFA2eFRJUUsvMHN2TGdBSmp2dm5xT0U4Sm9FZWtQUQpoaWFqdUU4WlpscnNxZ0tuS2xWWE9nWVV4OXU4UTlLWGZJRlVwY2hvWWxVcWtmNlZ1cEhTb0xBNEE2WXlHN3IxCjZJVFpBYkdXV1pYV0NDM3VYRnYvb0dxTzdxYWZ2enNRaEpwSG5OcVdtODdmbERpSnV0UndpdHg1NWRFQ0F3RUEKQVFLQ0FnRUFqWVdiR3Q4TXhGeE5VL1lTdDRGRnFnQlh6dC9DVUhTYytNL1l2SFlrTjQwSUxoQmpOSjlIUTdWeApvZGJuOWNEcUE1UWhOZ1ZielQ5WGtSOTRLZFFLMjFVMVFENTBaKy9sTzA2b2lncWJJN1BqUlJreHdzanUvQU9YCktnQ0RoWUsvN1ExcnkrZ051czlZMGJwWDF1TlNIdjB3SFcwNHdnNmJneGxmWWRRN25rOUtVK05GQkRwOWZ5VlgKWEh4QytMWkRESHJEN25iVmtSY05QN2NWT2wzK3NtYXZqbTNMdkRKSUdHa3Q4cUU3VWduSWJJVFBxVWp5Zi9PWgowdys2SHFwSCtOUEJLSU9xRTZxS0ZoZGFHRWVOSXdEbHU5cXpPTWJqbCtkcEo4OWcyZ3lvWlEvR2tKU0RPb3pQClJRa0xtODJodVFMNXlkTTc3alJRYTdyTWpWYWx1dnBFckxTL3g1OTNLL2l1bUtXVUdiaEpDWU82UlRMN0h6dDAKMkRzcUpPTHVRN2U2RUhEQXp5MGhhSXh6RTFlaHMvdGtxWS9pY2YxaGFOQ2ZwdjN4WEtML2xWejdKOWpYbnpscwpHN00yWWdUUVpDejREN3AxekVIQVpwZklCY1dQQ2dVeVhqTllPdzhyRDI1VGNiampkTHMrOXlYZUo0Wnh2RDd3CnkrOTdJZnRtWDBEbkh4YzVrcjV6ckJURTlpamo0a21oeUhtbW1kd0svdkpUOWJ6M2RrUk5ZVXZHNnNUQW9aWmsKcm94cWdjT3NCdnEwUE1TT0pwbktncnhDSU9EWkRwZG1UdDQvZUdRaDN5TXQxWko0N3BVNWErY3ZIREhiZVQ3VgpPcXVDUHMwNFgvZXh0TlFTV3BydjdxYjArNnBBQ1UyaStEdlAreWxFbEZvb2FranM4REVDZ2dFQkFPZitsbmJvCnp2SmhHWnZoTkxLdGcyRzhDeHJXdkJ2aGgvSS84bmFmU2FITEJIYXBiN2lSZnJ6SmlkK1A0Ti8wN3c1ZUR5NnEKdGQ0aDg4ai8zR09zd2p2emY2eFQ2V2pqakRkakJiam5WWERsTHVCM0RiUHE4WWZ3WmwyM1N2Y1BMMHlQRHUzWQpXelFSTElhazhUWTVlNXZRaTJZWTAzK3BLNW1oZUdFNVg1Y2wyRUFLWkFRTTFmQi9MZnpubVFyaC9wUjlZWDdtCjlQUG42Vis1RS9mcXZEK0tDLzlhL1VkTFVDN2xjczZXc1NzRjBRc0FtcjVvMEZrc0NWeGdBRGlscFNMcGc1QkkKVFJLWjRkTllZbG5BdURJN0xwcDhVSWFxeFJoTVZpRi9XM0VrZkZUV0d1YlV6b0c2Rjhhdm0zajlrdVBwWkFiZQpiYXRpMEQ4ZExLRUNGN1VDZ2dFQkFOa1I4cDY3U3hsWmNpeVc4bE40T2xmRkFKNGp0b0ZGNXF3SUZENCtSWFhDCloyQVIxdXVEVThBQmhKMlAveEx2b0p6N1hhRXVIY25iVXdtNXhETzZKNEp3WmtlUldjSkdsSHNkVG9BMUFHRm0KUm5sMFRzOE9JTWw5cDN0VEtKS0VZWENMam5RT0EzWVp6WDd2TjJxSmhwVVRZNUN5b0x3Z01naWJ3elpkZmFjdwowc0JwZnV2UXVDMERvc0dUN3llZFZxVERCWUZTMTFjS3d2UUM4RDMrZUxsanRjWTdFTmo4TUVzS2ZjVFVtWjlkClQvcm05eVh5NzZ6b2YvZWdYNmpDdWRJQ0NYSzNTUHJaUEtqQS9LL1ZtMFJtdWZSK3hCMHNydXcxRXdHWWE0ZnEKQ2Z6TjVsTlExNDlKZnVtVUR6dlI0UVB0eFdSSWkyTnkzaG9pZy8rcnJ5MENnZ0VBQXJqaENSb29PMzNhTUJNUApiRDFPK2xtYmc4QWJTdlIxaE9rdExpa21Vd2l2ejdpalAvWXRGNGdCM3lhd0M5Q3k4V2MzSkdRS2FFWGJ0M01SCklmWkgvUzRaUkd0anBNQnV4OE9Zc0plK1QrblFoLys5b0d2VVU3VUZibm9WSGhzR2dnNTNyV0RKaVMzZWFPSU0KbG9kTUpRTG9iOVZBdmhHOUdqdGp6emcrSCtib3g2K1hodGlqdGdPNEJXeXVSZ3RxMGxFNlVLUGpJZTJKdG43VQpkaWRCK0RqbGRTU2JMamY3QStIYlhBTTJwdnVWZlZ5UGRFYUVrMWRKOE5TTGpCNmRkbkJwQTh0bFpCOThIOSs4Cm43TDhObEt0ZEZDYkhVbHBzS1JNcW0zMUk3bTYzNy8zWnRmK2FGVkhyQ1FwWGQwVDJTckc2ckczZGJoZUd5OTcKYzVRenRRS0NBUUE4eEx5Q1dYYVZ1eWV1ZWZlUERJcHd4ZEw5Y293R05yWjBGTEx1RmVyR0k4MWk1THVoSlJ2TwpGZDYxYVhtRUtKZHpPeCtrSHMveUViZDJjbzROMlNCMGNOa0JVaHlwdWE2WnBNTzBPcUpIb2lVNm5TZnU2VXFlCmZkSGtRWXlMTUFwRFFwNTN1UENaSUhJYUJnZ2lpQ3VvRWt4K1ZyT08xd2lLeG1ocEVOVTdkL3lZSnpDRC9lT0IKbnBIeTFXSlBXY25HeUY0RExWamhvajZmcHk3d2ZBdjZBb01CNHNrOXBhUXpiZFYxdy9yWjFYcXRoL2xLbzI4YgpuZDh0U0xWZS9seWRBVHI1NVh2RjFna1lTU2EwWnYxWHNkWi9Mdm5pSFA4L1cwQmQ0dmkvalBLTTFtdVRpWDgvCk90a1B0UVpxdmIvYnBMWHM5QzRwZ2gvUmV6WXUzalpsQW9JQkFRQ3NjWE5odzVkQ1FPbW83cmluSC9kV2hWeGYKbnZJVlFLS0ZpZVR5S2pQZ05Fb2MzamRBNkRVK1F2TG5qQUFncERyYWlKNTJrTm9MaGw2bGpMbldnQWtuZjNiWgpERkZ3RW9nV2tqa0I5dGt4eUNKNFIyM3pyWjJWeVF2bXNuUUZOOExoSnl5V0xkcytNbjBBWjFiVktkc0hyVXBNCjZFQ1lHRyt0RlpWTFoveXpHUk9xRG5lcGFRejEyTmFqNlh0SmpGbWx4M3VpUkpTSkdhNksxT1BTejExWFhDNlEKK3lFSFBOR0FaVnNxWnhCN1RCS09EdnBOZm9HQThnWllWbWh5dDVEWHpWUWkvdm5JQ2VYb05zWnZ6S2Z1SEkwZQo4T3czYUQ1ZHNzdThtL1BUTFVyclltdVl3MzVULytrTitVVGw3bzRkeWxMVzZQMnVLNnV6bTk5NEZQU0IKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
kind: Secret
metadata:
creationTimestamp: "2019-04-29T15:02:28Z"
name: sealed-secrets-key
namespace: kube-system
resourceVersion: "3499"
selfLink: /api/v1/namespaces/kube-system/secrets/sealed-secrets-key
uid: ce63cc15-6a8f-11e9-a236-0800273bedc2
type: kubernetes.io/tls
秘密鍵と証明書(公開鍵)のデータをデコードして確認するには以下のようにします。
# 秘密鍵
kubectl get secret -n kube-system sealed-secrets-key -o json | jq -r '.data["tls.key"]' | base64 --decode
# 証明書(公開鍵)
kubectl get secret -n kube-system sealed-secrets-key -o json | jq -r '.data["tls.crt"]' | base64 --decode
秘密鍵をリストアするときはバックアップしたyamlをreplaceし、コントローラーのPodを再起動します。
kubectl replace secret -n kube-system sealed-secrets-key -f sealed-secrets-key.yaml
kubectl delete pod -n kube-system -l app.kubernetes.io/name=sealed-secrets