Sealed secrets - Create, Rename, Update and Delete

Bitnami sealed secrets have a simple, yet not straight-forward lifecycle due to multiple moving parts involved

Create

# Assuming sealed-secrets was created with the helm chart way described in the previous post
❯ kubectl create secret generic db-creds --from-literal=user=adam --from-literal=password=paSSwoRD --dry-run=client -o yaml | kubeseal --controller-namespace=sealed-secrets --controller-name=ss-app-sealed-secrets -o yaml | kubectl apply -f -
sealedsecret.bitnami.com/db-creds created

❯ kubectl get sealedsecrets.bitnami.com
NAME       AGE
db-creds   10s

# also created is a kubernetes secret named "db-creds"
❯ kubectl get secrets
NAME                  TYPE                                  DATA   AGE
db-creds              Opaque                                2      17s
default-token-j8wnt   kubernetes.io/service-account-token   3      6h11m

Rename

Under normal circumstances renaming a sealed-secret fails the decryption bacause is part of the encryption/decryption in the default strict mode

❯ kubectl create secret generic db-creds-alpha --from-literal=user=adam --from-literal=password=paSSwoRD --dry-run=client -o yaml | kubeseal --controller-namespace=sealed-secrets --controller-name=ss-app-sealed-secrets -o yaml | kubectl apply -f -
sealedsecret.bitnami.com/db-creds-alpha created

❯ kubectl get sealedsecrets.bitnami.com
NAME             AGE
db-creds-alpha   84s

# try editing the name from "db-creds-alpha" to "db-creds-beta"
❯ kubectl edit sealedsecrets.bitnami.com/db-creds-alpha
A copy of your changes has been stored to "/var/folders/1w/9brxn3wn27b3xgk2t7hj5ns40000gn/T/kubectl-edit-1525276124.yaml"
error: At least one of apiVersion, kind and name was changed

For the secret to be rename-able, one needs to scope it to namespace-wide or cluster-wide

❯ kubectl create secret generic db-creds-alpha --from-literal=user=adam --from-literal=password=paSSwoRD --dry-run=client -o yaml | kubeseal --controller-namespace=sealed-secrets --controller-name=ss-app-sealed-secrets --scope=namespace-wide -o yaml | kubectl apply -f -
sealedsecret.bitnami.com/db-creds-alpha created

# edit name from "db-creds-alpha" to "db-creds-beta"
❯ vi /tmp/ss.yaml

# apply and verify
❯ k apply -f /tmp/ss.yaml
sealedsecret.bitnami.com/db-creds-beta created

# a new secret with the new name is created
❯ k get sealedsecrets.bitnami.com
NAME             AGE
db-creds-alpha   3m4s
db-creds-beta    7s

Update

# assume sealed-secret is in sealed-secret.yaml
❯ echo -n adminDatabase | kubectl create secret generic mysecret --dry-run=client --from-file=db_name=/dev/stdin -o yaml | kubeseal --controller-namespace=sealed-secrets --controller-name=ss-app-sealed-secrets --merge-into sealed-secret.yaml

❯ kubectl apply -f sealed-secret.yaml
sealedsecret.bitnami.com/db-creds configured

❯ k get secret db-creds -o json | jq ".data | map_values(@base64d)"
{
  "db_name": "adminDatabase",
  "password": "paSSwoRD",
  "user": "adam"
}

Delete

❯ kubectl delete sealedsecrets.bitnami.com db-creds
sealedsecret.bitnami.com "db-creds" deleted

# Note: this also deletes the kubernetes secret named "db-creds"