봉인된 비밀 - 비밀 관리를 위한 비밀 소스
7240 단어 seriessecretskubernetesaddons
secret
개체를 제공합니다. 이 솔루션은 주로 다음으로 인해 부적절합니다.집행, RBAC...
Bitnami sealed secrets (Bitnami-SS)은 이 문제를 해결하기 위한 강력한 솔루션입니다. Bitnami-SS의 주요 장점/특징은 다음과 같습니다.
mode=strict
) 또는 클러스터 전체( mode=namespace-wide
) 내에서 허용되지 않음( mode=cluster-wide
)으로 범위가 지정될 수 있습니다. 이를 통해 암호화된 봉인된 비밀 매니페스트가 소스 제어에 저장되고 GitOps가 다시 실행 가능해집니다. :)
설치
❯ helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-
❯ helm upgrade --install ss-app sealed-secrets/sealed-secrets --namespace=sealed-secrets --create-namespace --set=keyrenewperiod=1h
# Check
❯ kubectl get pods -n sealed-secrets
NAME READY STATUS RESTARTS AGE
ss-app-sealed-secrets-556c68c858-zshwb 1/1 Running 0 5m13s
암호화
kubeseal
에서 https://github.com/bitnami-labs/sealed-secrets/releases
바이너리 설치# Blueprint for a secret from literal
❯ kubectl create secret generic db-creds --from-literal=user=adam --from-literal=password=paSSwoRD --dry-run=client -o yaml | tee secret.yaml
apiVersion: v1
data:
password: cGFTU3dvUkQ=
user: YWRhbQ==
kind: Secret
metadata:
creationTimestamp: null
name: db-creds
# Create sealed secret manifest (and commit to source-code)
❯ kubeseal --controller-name=ss-app-sealed-secrets --controller-namespace=sealed-secrets -o yaml <secret.yaml | tee sealed-secret.yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: db-creds
namespace: default
spec:
encryptedData:
password: AgAwmSBxsO7GsRjI5Nqhm4DdPfW6x1JPlLtyb4lG+Cmhy1iZiXoRHiTeyr70HT/KLqEDcu2DFbX5jwsUHv4pADLE4ARUECQklIUHlG8dcCXoufkFUrAhp4qzpMwm9IiN394/oHlHhXdGNjO6ORW39B6SgSdkIIZkTlDanyyYzJB0dwjNLvsjGzCNZ+BY58DTRSTEKofe6rsYwdSQKFb1fa/CyiA9m6vuOzbJHmzJv4EMJeXtaYjF6LLhfRtGNpzN5IUck+tiPJu8cirZ1SV6vdTNuBNMYEn8mvhSPQ8PwzaWt3+rQ0TrEWYPdRuG30UUT4LTd19PC08knMC2ayVn+FzpdS/nVoyoJCUW8nIkhjUr51Eq8ulwNa4Ws316KViUk6zRlxRWhY/+cTPpBuhbHkn9x60yyw4hr+Ef6QxID6EoroxFC6DOq3O5NqkkNJWSSosTCw0FPFXuLsvmhrk1m01Yn4jYcTnhJVyCLkoIrzlnvqVxhOniGY05s0EsveaAKpphZmN/xEEW7KeiFD+Khgc24u13O94OeEs3E4oIbEfDvdn3ynygaSyFc5nO70Hqn6TUT6Xxmzp9xS3G2Pxrm16QeTbVe42U8Urpr460YYgnQL9D2bKAXDcCxtFVqxjZuP5qgbj/egfsXwjeu1HY7Q3R+sfZndAxvyYIAVYhG7ikL+cpIQVhb9ZspDjPK3ebmFb74yXdC7itUA==
user: AgBHkkXsSoRchQhWATyFKeYynn+eBuT1NK5n4Z0pN1VXwWaIy037dBksZYDZ2rMEKs7wYZD3ln5lXaA9i8/BDGbg155jl4rFaCr/7c4PoruMFtIIXCF/ic7sdgS0dskOs2qLZm2XPvcY7TyQj/7d/XOYVd4RuancgHZ9NlBjyALVvdSEjVRBRWIEYwT81p+pKFdgdxp3IkhJ23mrmtqqIQ9OuE6ogwjgWXMdba41WNi+h9Dxi9fvoKF18KcStwjB+xk5Fs2FCMoib190zWojtGMQqO8urZpjwMy60kM17ejVahwdT+z0skGOtna0KcmHfkZWk/NyMY1ivyTzF2NmfCecPlGOYr3X6wYIEFySZwnR1SIGLFvRTb1s9ymGbH0mC60SR9YkxowixSFOaW+k0uAFZcLd+98Bu9obLX6hN8QzzSdiaGIWACi6KNdXBKoi3xn0L0J4Pg+nhYwq4dJ4a1HFo2PWZKwZI3letWL0hV3E1Z9WJYZ+GhasESfxeexNyVvDUAfZ/+W+opW+RI/lEonz9fRL+6JMgviiU6oa+1HteIZ4AE9Xv6bg1OnuXbZxn5oNkfAuLrmqn9bqozXfes6g3W1FFCosstS4xjlX/C/ODv2dPdSPQDQOGn/2Dao3+GWKPmlYD0aKHhjK38uCsstPQbC7yMxYI0RuQqzFmQn4rHJ2PN0yLFspT6qiVhTBYs2ajeR9
template:
data: null
metadata:
creationTimestamp: null
name: db-creds
namespace: default
암호 해독 및 확인
# Apply the manifest
❯ kubectl create -f sealed-secret.yaml
sealedsecret.bitnami.com/db-creds created
# Check if decoding was okay
❯ kubectl logs -f ss-app-sealed-secrets-556c68c858-zshwb -n sealed-secrets
2022/04/25 09:10:30 Starting sealed-secrets controller version: 0.17.4
controller version: 0.17.4
...
2022/04/25 09:10:31 HTTP server serving on :8080
2022/04/25 09:18:36 Updating default/db-creds
2022/04/25 09:18:36 Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"default", Name:"db-creds", UID:"7f6012e2-be9d-4512-a38a-710aa9cbd8be", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"35964", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
2022/04/25 09:18:36 Updating default/db-creds
2022/04/25 09:18:36 Event(v1.ObjectReference{Kind:"SealedSecret", Namespace:"default", Name:"db-creds", UID:"7f6012e2-be9d-4512-a38a-710aa9cbd8be", APIVersion:"bitnami.com/v1alpha1", ResourceVersion:"35966", FieldPath:""}): type: 'Normal' reason: 'Unsealed' SealedSecret unsealed successfully
# Check if secret got created
❯ kubectl get sealedsecrets.bitnami.com
NAME AGE
db-creds 114s
❯ kubectl get secret db-creds -o json | jq ".data | map_values(@base64d)"
{
"password": "paSSwoRD",
"user": "adam"
}
Reference
이 문제에 관하여(봉인된 비밀 - 비밀 관리를 위한 비밀 소스), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://dev.to/ashokan/sealed-secrets-the-secret-sauce-for-managing-secrets-2hg6텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)