►
From YouTube: TGI Kubernetes 132: Sealed Secrets
Description
- 00:00:00 - Welcome to TGIK!
- 00:04:31 - Week in Review
- 00:23:15 - Sealed Secret Overview & Install
- 00:37:21 - Sealing a Secret
- 00:52:49 - Retrieving the Public Key
- 00:55:28 - Exploring SealedSecret Scope
- 01:00:00 - Rotation: Secrets and Keys
- 01:15:37 - Multi-Cluster Sealed Secrets
- 01:30:28 - Wrap-up
Show notes up at https://github.com/vmware-tanzu/tgik/blob/master/episodes/132/README.md.
Come hang out with Joe as he does a bit of hands on hacking of Kubernetes and related topics. Some of this will be Joe talking about the things he knows. Some of this will be Joe exploring something new with the audience. Come join the fun, ask questions, comment, and participate in the live chat!
This week we are going to do a deep(er) dive on Sealed Secrets (https://github.com/bitnami-labs/sealed-secrets). This is a way to encrypt secrets in a way where you can check them in and manage them with the rest of your gitops-ish workflow. In this deeper dive where we plan to peek under the cover and look at some of the day 2 things like key rotation.
A
Hello,
everybody,
hello,
hello,
hello
and
welcome
to
tgi
kubernetes.
I
am
your
host
today,
joe
bida,
for
those
who
are
not
aware,
tgi
kubernetes
is
a
weekly
ish
actually
been
doing
really
well
trying
to
get
it
done
almost
every
week,
weekliest
youtube
live
stream
that
we
do
here
as
part
of
vmware
tonzu,
where
me,
or
some
of
my
colleagues
like
josh
or
you
know,
hopefully
we'll
get
some
more
folks
on
board
like
we
did
last
week,
show
up
and
really
help
to
talk
about.
A
You
know
discovering
it
with
folks
making
mistakes
showing
how
it
all
works
together,
and
this
time
we're
a
little
bit
in
between
so
we're
gonna,
be
the
plan
for
this
episode
is
to
dig
into
this
project
called
sealed
secrets,
which
I
think
is
really
really
cool.
So
that's
what
tgi
kubernetes
is.
We
are
now
on
episode,
132,
which
is
absolutely
crazy.
A
A
This
is
my
office,
overlooking
usually
I
can
see,
get
a
nice
view,
but
for
those
who
haven't
been
paying
attention
here
in
seattle,
we
have
a
lot
of
smoke
from
all
the
wildfires
on
the
on
the
west
coast,
and
so
the
air
quality
is
is
actually
pretty
crappy
these
days
I'll
here,
let
me
grab
this
I'll.
Show
you
what
I'm
dealing
with
I
I
now
have.
A
I
now
have
an
air
quality
meter
that
I
bought
on
amazon.
That
shows
me
sort
of
what
the
air
quality
problems
are.
The
green
screen
is
confusing
it
a
little
bit,
and
this
is
telling
me
that
currently
in
my
office,
the
2.5
nanometer
particles
are
37
micrograms
per
square
meter
or
cubic
meter,
which
is
not
good,
and
so
now
I
know
how
bad
the
air
is
in
my
office,
but
I
actually
don't
have
a
filter,
and
so
there's
like
nothing.
I
can
do
about
it.
A
So
I
think
you
know
around
here
we're
just
waiting
for
rain
so
that
we
can
actually
start
clearing
the
air
a
little
bit.
It's
been
pretty
rough.
Well,
let
me
start
off
by
saying
hello
to
everybody
from
around
the
world.
I
you
know,
I
really
love
the
fact
that
I
know
this
is
not
always
the
best
time
for
folks
around
the
world
to
be
able
to
join
us,
but
you
know
kick
back
grab
a
beer
hang
out
and
we'll
explore
some
kubernetes
stuff
together.
A
So
I
want
to
say
hello
to
to
to
steve
who
was
here
before
everybody
else
saying:
hi,
martin
from
the
netherlands
sevi
saying
hi,
also
waleed
good,
to
see
you
josh,
who
is
a
a
regular
host
now
saying,
hi
he's
been
doing
quite
a
few
of
these
things:
rory
bianca
hello,
ahmet
mona,
calling
in
from
germany
joy
from
richmond
tim,
which
has
a
cool
tim.
How
did
you
do
the
little
like
cat
emoji?
A
Is
that,
like
one
of
the
standard
emojis,
I
don't
know
that's
pretty
cool
jim
first
time
from
manchester
thanks
for
joining
us
anjuka
from
helsinki,
amim
paul
from
new
york
and
st
louis
sevy,
victor
from
new
york
rada,
good
to
see
you,
carlos
from
miami
very
cool
heim
from
israel,
israel,
tomas,
philip
from
germany
yeah.
This
is
just
crazy,
morteza
from
tyrann
good
to
see
you
gokhan
from
turkey.
A
Awesome
welcome,
welcome,
welcome
and
and
mas
emiliano.
I
just
want
to
say
it
I
mean
my
I'm
sure
my
italian
accent
is
horrible
call
you
know
joining
us
from
italy
and
then
deepti
from
vancouver.
I'm
sure
your
error
is
pretty
bad
up.
There
also
good
to
see
y'all
yeah,
132.
wow,
so
one
of
the
things
that
we
like
to
start
with,
as
we
get
going
is,
is
we
have
some
notes
and
we
have
a
sort
of
a
crowdsourced
document
that
you
can
all
join
us
at
in
the
the
url
here.
A
If
you
want
to
join
us,
is
tgik
dot,
io,
slash
notes.
Let
me
put
that
in
the
chat
here
for
folks,
okay,
dot,
io,
slash
notes.
I
was
gonna,
try
and
put
it
on
the
on
my
standard
sort
of
breakdown
on
the
screen
here,
but
I
started
doing
it
and
and
obs
defeated
me
in
the
10
minutes
I
allotted
before
the
before
the
the
live
stream
here
so
anyways
you
can
join
us
here
if
you
want
to
put
some
extra
notes
in
there
as
we
explore
stuff.
A
If
you
want
to
do
some
time
code
that
helps
me
out
later,
as
I
as
I
go
through
and
get
this
prepared
so
that
we
can
get
the
nice
indexing
in
youtube
after
the
fact
that'd
be
helpful,
but
let's
go
through
sort
of
news
of
the
week.
What's
been
going
on,
and
thank
you
huge
shout
out
to
george,
who
is
always
super
helpful
here
to
help
curate
these
links
make
sure
that
everything
moves
smoothly.
Thank
you.
A
So
much
george
you're
you're
a
huge
help,
don't
know
what
I
do
without
you,
so
so
core
kubernetes
the
1.20
release
cycle.
It's
been
a
pretty
light
week,
but
the
1.20
release
cycle
is
actually
started
in
the
and
the
release
manager.
This
time
around
is
jeremy
rickard.
So
you
know
thank
you
so
much
jeremy
for
taking
one
for
the
team.
This
is
a
big
job
and
I
think
a
big
part
of
it
is
executing
the
release
processes
for
kubernetes
itself,
helping
to
make
sure
that
things
converge
and
then,
along
the
way.
A
You
know
really
sort
of
leaving
the
campsite
better
for
the
folks
that
come
next
right
really
really
want
to
make
sure
that
every
release
goes
smoother
and
we
automate
things
and
we
make
it
smoother
one
release
over
the
other,
and
so
you
know
we're
on
you
know:
20
plus
releases.
Now
how
many
releases
has
it
been?
Because
I
mean
there
were
a
bunch
of
releases
pre
1.0
too,
and
it's
always
a
big
job,
but
hopefully
it's
getting
better.
A
You
know
over
time
you
can
so
you
can
go
to
the
kubernetes.dev
and
actually
see
all
the
information
about
the
release.
What
the
timeline
looks
like
who's
leading
it.
This
is
hugely
great
information
to
understand,
what's
happening
with
the
release-
and
you
know
big
shout
out
to
george
and
a
lot
of
the
folks
in
the
contributor
experience
sig,
who
put
together
the
kubernetes
contributor
website,
where
we
have
some
place
like
this
to
bring
all
this
stuff
together,
which
is
super
super
cool
and
yeah.
A
A
This
is
a
cv
in
the
linux
kernel,
but
it's
something
that
will
impact
a
lot
of
folks
that
are
dealing
with
containerized
issues,
and
so
the
idea
here
is
that
memory
corruption
can
be
exploited
to
gain
root,
privileges
from
unprivileged
processes,
and
so
the
idea
is
that
you
know
this
could
be
used.
I
think
the
fear
is
as
a
container
breakout.
A
I
haven't
taken
a
close
look
at
it,
but
sysdig
has
a
has
a
blog
post
here.
I
will
accept
cookies
around
what's
going
on,
and
so
one
of
the
things
here
is
that
the
it
looks
like
the
mechanism
here
is
through
cap
net
raw,
and
so
this
is
the
the
capability
in
the
kernel
that
lets
you
essentially
send
raw
packets
would
really
spoof
things
on
the
wire.
This
is
generally
not
a
good
idea
that
some
this
is
generally
not
something
that
you
want
to
give
to
containers.
A
There's
there's
really
only
very
few
places
where
you're
really
going
to
want
to
use
this,
and
so,
if
you're,
using
pod
security
policies,
you
should
really
be
using
those
to
drop
drop.
The
cat,
capnet
raw
or
you
know
other
mechanisms
to
make
sure
that
containers
as
they're
launching
are
not
actually
looking
for
this,
and
so
it
looks
like
it's
a
incorrect
offset
calculation
using
packet
sockets,
and
so
it's
a
relatively
you
know,
advanced
kernel,
feature
that
most
workloads
won't
actually
need
to
need
to
use.
A
Let's
see,
we
have
a
1.19.2
point
release,
let's
see,
looks
like
conversions
for
custom,
metrics
panic
in
cube
control
debug
when
the
pod
has
multiple
init
containers
or
ephemeral
containers,
and
so
it
looks
like
nothing
super
groundbreaking
here
I
mean
clearly,
if
you're,
hitting
that
it's
bad,
if
you're
using
custom,
metrics,
there's
probably
something
important
there
and
then
and
then
update
the
cni
plug-in.
So
this
is
just
a
release
thing,
so
nothing
too
outrageous
going
on
there
so
good
to
know.
That's
it's
good!
It's
always
good!
A
When
you
look
at
the
changes
and
you're
like
oh
no
big
surprises
there,
and
then
this
is
something
that
I
think
is
really
really
cool.
That
I'm
super
excited
about
is
there's
now
a
capability
in
kubernetes
and
here's
a
blog
post
on
it
for
returning
warnings,
and
so
this
is
one
of
those
things
where
we'll
do
things
like
deprecate
some
apis
or
find
that
somebody's
using
something
that
like
we're
like
hey.
A
You
know
what
we're
going
to
accept
this,
but
we
really
think
that
you
know
this
is
going
to
change
or
something's
going
to
be
happening
over
time,
and
we
really
didn't
have
a
way
to.
We
really
didn't
have
a
way
to
actually
return
those
signals
to
users
and
things
like
cuba,
as
they
call
things
for
cube
control,
and
so
this
is
a
great
example
here
of
like
now.
A
We
can
actually
go
ahead
and
do
this
and,
if
you're
using
say
the
wrong
version
of
ingress,
we're
going
to
say,
hey,
you
know
it's
deprecated
and
it'll
become
unavailable
in
this
future
version.
So
this
is
really
a
great
way
such
that
these
deprecations
and
scheduled
removals,
which
we
do
multiple
versions
in
advance
right,
so
we're
looking
at
1.22,
which
is
probably
not
another,
six
or
nine
months
from
now.
A
You
know
we
want
to
make
sure
that
we
give
folks
fair
warning
as
this
stuff
happens
and
it
doesn't
sneak
up
on
them
and
we
really
haven't
had
great
mechanisms
to
return
it.
So
I'm
really
excited
to
see
that
we
now
have
these
mechanisms
for
returning
warnings,
and
so,
let's
see
so
and
then
there's
ways
that
you
can
actually
there's
metrics
for
showing
you
that
hey
you're
making
a
request
to
a
deprecated
api.
A
A
And
then
this
also
applies
to
crds,
which
is
super
cool
also,
and
so
you
can
say,
here's
the
deprecated
warning,
like
you
know,
hey
this
this
you
know,
example
blah
blah
blah
very,
very
exciting.
I'm
you
know
this
is
really
exciting
stuff,
and
then
you
can
do
something
warnings
of
as
errors
where
it's
like
hey.
If
you
get
a
warning,
you
want
to
make
sure
that
you,
you
know,
cube
control
exit
exits
out,
instead
of
actually
continuing
to
execute
that
so
very,
very
cool.
That's
that's!
A
Exciting
usability
thing
that
we're
actually
seeing
going
on
there.
Okay,
so
we
had
some
something
got
messed
up
in
my
in
the
hey
george.
Can
you
look
at
fixing
this?
Something
got
got
kind
of
screwed
up
in
the
in
the
in
the
notes
here
looks
like
things
got
jumbled
any
idea
if
oppa
can
take
advantage
of
the
deprecation
features,
I
don't
know.
I
think.
A
Let's
see
where
did
the
warnings
are
now
a
thing?
Okay,
so
we'll
go
through
and
look
at
this.
It
says
that
you
know,
let's
see
admission
web
hooks
our
primary
way
to
integrate
custom
policies
to
allow
a
request
to,
but
warn
about
configuration
yeah.
It
looks
like
those
warnings
are
actually
supported
now
and
so
yeah.
I
would
imagine
that
this
is
something
that
could
work
with
opa
that'd
be
actually
a
fun
thing
to
try.
A
A
So
there's
a
link
to
the
cap
that
will
actually
get
in
there
and
then
I
know
jordan
liggett,
who
did
a
lot
of
the
work
behind
this
gave
a
demo
at
the
at
the
the
kubernetes
community
meeting,
and
so
that's
something
that
you
can
dig
into
also
super
cool.
So
let's
check
the
cap
real,
quick
yeah.
So
this
is
actually
I
mean
like
this
is
a
great
way
to
look
at
like
okay.
What
do
we
want
to
do
with
a
cap?
Because
this
is
the
type
of
thing
where
it's
a
good
thing?
A
Everybody
can
agree
to
it,
but
there's
a
ton
of
decisions
to
be
made
about.
How
do
we
do
this
in
the
api?
Where
do
we
do
it
like?
How
does
this
impact
cube
control?
So
this
is
the
type
of
thing
that's
going
to
really
sort
of
impact,
a
different
parts
of
it
and
using
the
kep
process
as
a
way
to
really
make
sure
that
everybody's
on
the
same
page
before
folks
put
a
ton
of
work
in
here,
and
so
you
know,
I
love
seeing
this
stuff.
A
You
know
and
then
there's
the
implementation
history
of
like
okay,
this
stuff
was
started
in
april
and
you
know-
and
now
it's
now
it's
beta
and
it's
actually
making
progress.
So
great
example
of
the
kep
process
kept
process
in
action.
Oh
steve's
asking
what
about
the
t-shirt
today?
This
is
a
t-shirt.
Oh,
I
love
this
I'll
do
a
little
plug
here,
because
I
love
these
folks.
A
But
my
favorite
and
I
bought
a
lot
of
these
things
is:
is
they
make
some
star
wars
playing
cards?
And
so
there's?
This
is
a
dark
side
playing
card
and
this
is
the
light
side
and
if
you
go-
and
if
you
you
know,
if
you
go
to
their
page
online
you'll,
see
that
actually
all
the
face
cards
are
characters
from
the
star
wars.
Series
super
super
cool
and
yeah,
the
but
the,
but
all
their
playing
cards
are
beautiful,
and
so
it's
the
type
of
thing
where
it's
like
they're
a
luxury.
A
But
it's
like
a
10
luxury.
So
it's
like
it's
something
that
you
can
like
splurge
on,
but
not
feel
too
bad
about
splurging
on
which
is
really
fun,
all
sorts
of
really
cool
stuff.
There,
all
right
cool,
all
right
so
now
across
the
the
rest
of
the
cloud
native
ecosystem
gitlab
had
a
great
blog
post
that
yeah.
A
So
you
know
I
I
usually
carry
some
of
these
around,
and
so
I
you
know
I
wanna
the
biggest
star
wars
fan,
I
know,
is
tim
hawkin
who,
who
leads
up
a
lot
of
the
a
lot
of
the
cig
networking
stuff,
but
he's
been
in
kubernetes
forever
huge
star
wars
fan.
I
had
these
in
my
bag
for
next
time.
I
saw
him
and
I
was
going
to
give
it
to
him.
A
You
know
at
the
next
cube
con,
but
then
you
know
covet
hit
and
all
the
cube
cons
got
cancelled
or
went
virtual,
and
so
I'm
really
sad
that
I
haven't
had
a
chance
to
give
them
one
all
right,
all
right,
cool,
so
yeah.
So
the
get
lab
folks
actually
had
this
great
blog
post
talking
about
what's
been
working
for
them,
what
hasn't
been
working
them
with
kubernetes?
A
And
I
really
love
seeing
these
things,
because
you
know
they
get
into
the
details
of
what
is
the
tool
set
that
they're
using
what
are
some
of
the
surprises,
because
they
did
a
bunch
of
stuff
where
they
were
running
clusters
cross
a
z.
They
saw
a
ton
of
traffic
cross
hazy
right,
not
surprising
and
and
that
would
that
ended
up
being
for
them
a
cost
on
aws
that
they
didn't
really
appreciate,
and
so
these
are
some
of
those
practical
learnings.
That,
I
think,
is.
You
know
super
valuable
to
folks
that
you
know
hey.
A
A
So
tell
me
more
about
this
george,
because
I
I
didn't
have
a
chance
to
look
at
this.
What
makes
this
different?
This
is
like
a
raspberry,
pi
kubernetes
cluster
thing:
what's
the
deal,
what
did
you?
What
did
you
say
this?
Is
clusters
on
raspberry
pi?
There's
a
ton
of
these,
but
the
author,
which
is,
which
is
george,
has
a
a
soft
spot
for
cube
admin
based
stuff,
okay,
so
running
a
raspberry
pi
kubernetes
cluster.
A
Okay,
this
is
a
cube
admin
based
experience
around
this.
To
really
show
you
how
it
works.
Okay,
very
cool-
you
know-
that's
been
on.
My
to-do
list
forever-
is
to
actually
build
a
raspberry
pi
cluster,
but
I've
never
had
the
time
to
get
around
it
like
I
keep
buying
arm
based
microcontrollers,
and
I
was
just
showing
george,
you
know
as
we
were.
A
We
were
talking
about
this,
but
before,
like
I've,
been
playing
a
lot
with
like
the
latest
one
I
bought
is
like
synthesizers
and
stuff,
and
I,
like
I,
I've
been
looking
at,
like
even
smaller
ones
like
this
is
what
I
have
here.
Where
did
it
go?
Is
this
one
called
the
teensy,
which
is
really
small,
and
you
can
do
a
lot
of
audio
stuff
with
it
and
stuff
so
like?
I
want
to
do
more
of
this
stuff
and
actually
start
creating
connections
to
kubernetes
clusters
and
I'd
love
to
play
with
raspberry
pi's.
A
A
A
Is
that
yeah,
so
there's
a
deprecation
timeline,
which
I
think
folks
should
be
aware
of?
Also
so
helm
3
was
launched
in
2019
helm
to
so
security
patches
until
november,
okay,
so
yeah,
so
we're
we're
we're
staring
down
helm2
deprecation,
something
to
be
aware
of
y'all
should
be,
should
be
aware
of
that:
okay
cool,
let's
go
back
here
and
then
okay,
so
somebody
put
in
a
link
here
to
the
the
cni
benchmark.
A
Now
this
is
really
interesting
here,
because
I
know
that
the
I
believe
the
folks
running
this
so
benchmarks
like
this
are
always
you're
like
okay,
who's
actually
running
it,
and
I
think
one
of
the
things
to
to
be
aware
of
here
is
that
you
know
sometimes
this
stuff
ends
up
being
run
by
folks
who
have
sort
of
a
horse
in
the
race
right.
So
you
always
want
to
be
careful
and
understand,
but
it's
really
interesting
to
see
folks
start
to
deal
with
this.
A
You
know
impacts
of
mtu
weavenet,
so
some
really
interesting
results
going
on
here.
So
there's
memory,
usage
versus
cpu
usage,
our
horse
in
the
race.
What
we've
been
investing
here
is
entreo,
which
looks
to
be
really
interesting.
So
a
lot
of
like
looks
like
they're,
really
examining
this
from
all
sorts
of
different
directions,
which
is
really
cool,
very
cool.
A
All
right
so
yeah,
so
if
you're,
if
you're
interested
in
pushing
kubernetes
networking
speeds,
you
know
and
performance,
this
looks
like
a
great
resource
to
at
least
understand
sort
of
some
of
the
ins
and
outs
and
the
things
that
you
really
want
to
take
a
take
advantage
of
very
cool
yeah,
and
I
I
like
to
see
that
that
entree
is
actually
coming
turning
up
well
here.
So
that's
really
good
to
see
all
right
cool.
Let
me
leave
the
look
at
the
chat
a
little
bit.
A
A
That's
electronics
that
doesn't
involve
computers,
and
I
know
that
there's
computers
like
built
into
each
one
of
the
modules
that
I'm
playing
with,
but
it
feels
like
you're
old
school,
doing
analog
stuff,
which
is
a
lot
of
fun
cool
and
then
like
yeah
and
then
a
pointer
to
the
theory
11
cards.
You
know
they
should
send
me
a
commission
all
right
awesome.
A
So
let's
go
and
start
digging
into
sealed
secrets,
and-
and
here
is
the
web
page
here,
so
I
don't
think
that
there's
anything
I
don't
think
we
have
an
official
fancy
web
page
beyond
and
so,
oh
first
of
all,
I
want
to
say
thank
you.
I
I
think
he
was
able
to
join
us.
Marco
has
been
doing
a
lot
of
the
work
to
maintain
sealed
secrets
here.
This
was
originally
started
by
a
bitnami
alum,
who
I
believe
last
I
heard
was-
was
at
aws
these
days.
A
This
is
angus,
lee's
and
so
marcos
has
been
doing
a
lot
of
the
work
here
and
just
a
big
shout
out
to
him.
What
time
zone
are
you
in
marco?
This
is
like
t.
This
is
you're
you're
in
a
time
zone
where
tgik
is
not
the
most
convenient.
So
thanks
for
really
making
the
time
to
join
us.
I
appreciate
it
so
the
idea
here
with
sealed
secrets,
which
I
think
is
really
interesting.
A
Oh
he's
in
utc
plus
two
so
yeah
yeah,
I
apologize
is
you
know
you
can
manage
all
of
your
kubernetes
and
I
love
the
problem
here.
I
can
manage
all
of
my
kubernetes
config
and
get
except
secrets,
because
it's
generally
a
really
bad
idea
to
check
secrets
into
your
git
repos.
It's
a
good
way
to
get
owned,
and
in
fact
you
know
there
are
folks
out
there
that
actually,
you
know,
monitor
all
check-ins
to
github
and
look
for
something
that
looks
like
hey.
This
is
an
amazon.
A
This
is
like
this
looks
like
an
amazon.
You
know
access
key
and
it's
gotten
so
bad
that
now,
amazon
and
github
themselves
will
monitor
for
those
things
and
warn
you
and
I
believe
amazon
might
even
auto
revoke
the
key
if
it
sees
one
of
these
things
checked
in,
and
so
you
know.
But
but
you
know,
amazon
access,
keys
and
github
access
keys.
A
Aren't
the
only
secrets
that
get
checked
in,
and
so
you
know,
and
especially
through
the
the
lens
of
things
like
git
ops,
and
this
idea
of
managing
everything
through
a
system
of
record
like
git
secrets,
end
up
being
a
real
thorn
in
your
side,
and
so
so
steve
is
suggesting
get
leaks
as
a
way
to
protect
this.
So
what
is
get
leaks.
A
This
looks
cool
scan,
git
repos
for
hard-coded
secrets.
Like
passwords
api
keys,
oh
very
cool.
You
know
I
would
be
cool
to
actually
scan
get
repos
for
anything
for
any
secrets
that
are
checked
in
right,
because
if
you
see
a
secret
yaml
that
looks
like
a
secret,
you
probably
shouldn't
check
it
in
that'd,
be
actually
pretty
cool.
A
So
paul's
saying,
if
you
put
your
aws
key
in
github,
you'll
get
several
emails
within
a
few
minutes
and
aws
does
revoke
it
within
minutes
or
so
a
friend
told
me
it's
too
easy
to
happen,
and
when
it's
once
it's
out
there,
you
can't
put
that
genie
back
in
the
bottle,
so
yeah
so
get
leaks,
looks
really
useful
here.
So
yeah
there's
you
know
defense
in
depth
right,
it's
not
just
about
encrypting
stuff.
You
also
want
to
make
sure
that
you
know
humans
make
mistakes
accidentally
check
stuff
in
get
leaks.
A
It
looks
like
a
really
cool
resource
there,
cool
all
right.
So
the
idea
here
is
how
do
we
actually
start
managing
secrets
in
the
same
way
that
we're
managing
the
rest
of
our
configs,
whether
you're
using
git
or
get
ops
or
whether
you're
using
any
other
mechanism
to
be
able
to
manage
this
stuff?
You
really
want
to
have
your
secret
sitting
next
to
everything
else.
A
I
believe
it
was
josh
did
one
of
them
at
least
and
touched
on
on
sealed
secrets
at
one
point,
but
he
was
really
looking
at
sort
of
like
how
do
secrets
work.
What
are
the
best
practices
around
secrets
at
the
cluster
itself?
Sealed
secrets
is
something
for
managing
config
before
it
hits
the
cluster
and
there's
a
little
bit
of
stuff
that
happens
in
the
cluster,
so
we'll
go
through
that
flow
and
really
get
into
into
some
of
the
details
there.
A
But
at
the
end
of
the
day,
what
it
is
is,
is
it's
a
it's,
a
crd
plus
a
controller
that
has
essentially
encrypted
data
and
then
that
controller
then
decrypts
that
data
and
creates
the
secret
for
you,
and
so
it's
really
a
way
of
like
you
know,
once
it
hits
the
cluster.
That
controller
will
decrypt
it
for
you,
so
it'll
actually
be
sitting
in
the
cluster
decrypted.
A
A
Oh,
this
is
new.
I
hadn't
seen
this
too
sealed
secrets,
as
templates
for
secrets
all
right,
we're
going
to
dig
into
that.
Okay,
I
I
reviewed
this
beforehand,
but
somehow
I
missed
oh,
I
I
skipped
over
that
okay
cool,
so
let's
actually
go
through
and
get
the
thing
installed
and
then
we'll
start
exploring
some
of
those
more
advanced
features:
okay,
installation!
A
A
Let
me
know
if
you
all
can't
see
this.
I
try
to
pre-flight
this
and
make
sure
it's
all
readable.
Okay.
So
what
do
we
got
going
on
here?
So
we
have
a
deployment,
that's
going
to
be
put
into
cube
system,
okay
and
then-
and
this
is
gonna-
have
a
single
replica
and
I'm
sure
that
you-
you
know-
I
don't
know-
I
wonder
marco-
can
you
run
multiple
replicas?
It's
a
sort
of
a
high
availability
thing.
Do
you
know,
and
it's
I
looks
pretty
simple:
we
got
a
single
container.
A
We
got
some
readiness
probes,
some
nice
things
here,
so
read.
Only
root
file
system
run
as
non-root
run
as
user.
So
a
lot
of
sort
of
lock
down
stuff
here.
This
is
actually
really
good
to
see
standard
in
ttys
and
it
has
a
a
temp
volume
mount
which
is
an
empty
dir.
Okay,
cool,
okay,
it's
noisy,
so
they'll
fight
with
each
other,
so
not
really,
okay,
so
yeah!
So
maybe
is
there
a?
A
Is
there
a
feature
request
in
the
sealed
secret
repo
to
do
sort
of
leader
election
types
of
things?
That
might
be
a
fun
that
might
be
a
fun
way
to
actually
have
somebody
help
contributing
here
to
this
that'd
be
a
fun
project
to
do
all
right.
So
let's
go
ahead
and
we
have
and
then
there's
the
custom
resource
definition
here
and
and
then
we
have
there's
a
role.
So
this
is
one
of
those
things
where,
let's
see
so
essentially
get
and
create
for
the.
A
A
A
Okay,
this
is
to
be
able
to
draw
back
the
public
key.
Okay,
moz
is
listening.
Well,
well,
I'm
driving,
while
they're
driving,
that's
funny.
Okay.
So
that's
really
interesting!
Okay,
so
this
is
the
proxy
resource.
Okay
to
be
able
to
actually
ask
for
the
public
key
okay.
I
want
to
dig
into
that
a
little
bit.
A
A
It's
fascinating
that
it
doesn't
have
the
ability
to
read
secrets
just
to
list,
but
I
guess
it
all
will
always
list
so
that,
actually,
when
you
do
a
list,
you
actually
get
the
full
contents
of
stuff.
Okay-
and
I
think
you
know
this-
oh-
and
this
is
the
unsealer.
No,
the
unsealer
does
get
the
ability
to
essentially
do
everything
you
need
with
secrets.
I
mean
you
know.
A
Usually
we
we
look
at
things
that
are
dealing
with
secrets
across
the
cluster
with
a
little
bit
of
side,
eye
but
kind
of
that's
this
thing's
job.
So
you
got
to
trust
it.
So
there
we
go
so
okay,
cool,
let's
go
ahead
and
we
will
apply
that.
I
have
two
clusters
running,
because
I
think
if
we
have
time
I
want
to
look
at
sort
of
like
can
we
create
one
secret
and
actually
deploy
it
to
multiple
clusters,
because
I
think
that
might
be
an
interesting
way
to
do
things.
A
A
You
know
anytime,
when
you
have
automated
systems,
it's
not
uncommon
for
there
to
be
things
that
you'll
call
secrets,
but
they
get
passed
around
as
values
like
everything
else.
I
think
you'll
look
at
this
with
config
systems,
like
I
mean
the
one
that
that
you
know
I'd,
be
you
know
like
puppet
salt
chef,
all
those
things
have
ideas
of
secrets
and
they
may
be
passed
around
encrypted,
but
like
the
means
to
decrypt
them
is
actually
fairly
widely
distributed.
Also,
I
think,
over
time,
we're
continuing
to
lock
secrets
down
more
and
more.
A
The
base64
encoding
has
nothing
to
do
with
encryption.
That's
just
a
way
so
that
you
can
actually
store
binaries
in
there
versus
you
know.
Having
to
you
know
manually
have
something
know
how
to
like.
You
know.
You
know
base64,
encode
and
decode.
That's
the
only
way
to
do
it.
That's
that's
the
only
reason
why
there's
base64
there
there
was
no,
never
a
plan
to
have
base64
look
like
it
was
encrypted,
but
I
don't
know
I
mean
like
I'm
like.
I
don't
know
if
we
should
rename
it.
A
A
Okay,
steve
says:
the
key
thing
to
remember
is
that
the
sealed
secret
can't
be
changed,
think
changing
namespace.
You
have
to
reseal
it
okay,
so,
like
the
you
know,
when
you
encrypt
it
it's
encrypted
for
a
specific
namespace,
you
can't
actually
reapply
it
to
another
namespace,
I
think,
is
what
steve's
saying
here:
okay
and
so
what
we
have
here
is
so
it
went
through
and
it
went
and
we
applied
it.
Cube
control,
get
pods,
namespace
equals
cube
system,
okay,
everything's
up
and
running
sweet
all
right.
A
So
now
the
the
main
so
now.
The
other
thing
that
we
have
here
is
that
we
have
a
thing
called
cubeseal,
which
is
the
companion
command
line
utility
that
actually
goes
with
this
stuff,
and
so
I
installed
that
let's
go
through
and
we'll
look
at,
you
know
the
instructions
for
installing
that
I'm
on
the
mac.
So
I
installed
that
with
homebrew,
but
that's
also
available
on
the
releases.
It's
a
go
binary,
and
so
it's
sort
of
self-contained
there.
So
you
can
go
ahead
and
do
that
all
right.
Here's
the
main
usage
here.
A
So
marco
says,
sealed
secrets
is
very
conservative.
We
try
to
avoid
you
shooting
yourself
in
the
foot
by
misconfiguring
your
r
back
et
cetera.
That's
also
why,
by
default,
it
lives
in
cube
system.
Okay,
all
right,
so
here's
what
we're
doing
so
bar
is
essentially
the
secret
that
we're
encrypting
and
then
we're
creating
a
generic
one
where
it's
essentially,
where
from
file
where
you
know
we're
reading
that
from
standard
in
and
then
and
then
echoing.
A
A
So
here
we
have
cat
mysecret.json
is
essentially
what
we
have
you
know
is
you
know
the
the
json
version
of
the
ammo
that
we
would
actually
be
upgrading
to
the
uploading
to
the
to
the
to
the
cluster,
and
so
we're
doing
this
just
locally,
and
so
we're
essentially
using
cube
control,
create
as
a
way
to
sort
of
template
and
do
the
base64
encoding
here
you
can
create
the
secret
yaml
any
way
that
you
want
to.
You
don't
have
to
use
cubecontrol
create
you
know,
but
this
is
just
a
convenient
way
to
script.
A
It,
let's
see
alex,
says
the
key
management
to
truly
in
cypher
secrets
is
really
tricky
in
such
a
dynamic
environment
like
kubernetes,
okay,
yeah.
So
there
we
go
and
then
maddie's
asking
about
a
key
rotation,
we'll
go
ahead
and
we'll
get
to
that.
So
this
is
that
base64
encoded
that
we
referred
to
earlier.
We
can
do
a
base64,
is
it?
A
Magic
happened
behind
the
scenes
there,
but
if
we
now
look
at
oh
we'll
pull
it
up
in
vs
code
here,
if
we
now
look
at
the
sealed
secret,
what
we'll
see
is
that
this
is
json
also
the
api
that
this
is
now
a
sealed
secret
instead
of
a
secret
right.
So
we
went
from
secret
to
sealed
secret
and
we
can
see
that
we
now
have
a
very
long
piece
of
text.
A
So
this
is
a
way
of
saying
bar
in
a
very
verbose
encrypted
way
and
so
yeah
now
what's
going
on
behind
the
scenes
there,
all
right
so
what's
happening
here-
is
that
the
controller
when
it
started
up
in
the
cluster
created
a
public
private
key
pair
and
the
way
that
public
private
key
pairs
work?
Is
that
essentially
it's
two
two
halves
of
a
key
and
you
can
encrypt
with
the
public
key
and
decrypt
with
the
private
key?
You
can
actually
do
the
opposite.
A
Where
you
can,
you
know
you
can
encrypt
with
the
private
key
and
decrypt
with
the
public
key
too,
but
that's
not
being
used
here.
That's
used
for
signatures
typically,
and
so
you
want
the
public
key
to
be
public,
and
so
what
cubeseal
is
doing
is
it's
reaching
out
to
the
cluster,
so
it
actually
won't
work
without
a
cluster.
A
There
we
go
so
now.
I
have
that
cluster
up
and
running,
and
so
we're
off
to
the
races
here
so
dennis
is
asking
any
reason
to
use
yaml
jason
instead
of
yaml.
I
think
jason's
just
safer
to
parse.
Generally
there's
you
know,
I
I'm
gonna,
give
a
talk
at
some
point
about
all
the
evils
of
yaml
and
sort
of
like
some
of
the
some
of
the
problems
that
and
opportunities
there.
A
Oh
okay
and
then
marco's
saying
that
now
you
can
actually
do
this
with
dash
f
and
dash
w,
so
it'll
write
to
disk.
So
you
don't
have
to
do
all
the
redirection
tricks
here,
which
is
useful
too,
all
right
so
cool.
So
we
have
this
up
and
running.
We
have
this
secret
and
and
if
we
go
through
and
if
we
do
a
cube
control,
get
secrets,
namespace
equals
cubeconfig
our
cube
system.
A
We
have
a
couple
of
files
here,
and
this
is
probably
the
public
in
the
private
key.
So
this
is
the
key,
and
then
this
is
a
public
certificate.
It
doesn't
have
to
be
a
certificate,
but
it
is
that
that
actually
shows
what's
going
on
here,
and
so
this
is
the
private
public
key
key
pair
that
we
actually
have
going
on,
and
so
what
I
believe
and
correct
me
if
I'm
wrong
marco,
is
that
you
know
we're
using
some
advanced
mechanisms
in
the
api
server
so
that
cubeseal
can
actually.
A
It
doesn't
actually
read
this
resource
because
that'd
be
pulling
the
private
key,
which
would
be
bad.
You
may
not
have
permission
for
it.
Instead,
what
it
does
is
it
actually
opens
a
a
tcp
connection
to
the
sealed
secrets:
controller
that
then
actually
publishes
the
preferred
public
key
to
be
using
back
out.
A
So,
let's
see
so
discussion
in
the
chat
talking
about
the
encryption
configuration
right,
so
this
is
about
how
do
you
secure
things
from
git
into
the
cluster?
There's
a
separate
sort
of
thing,
which
is
the
encryption
configuration
of
like
how
do
you
make
sure
that
you
actually
store
things
in
an
encrypted
way
when
you're
writing
to
etcd
inside
of
the
cluster?
And
so
really
it's
like.
There's
the.
A
A
A
A
A
A
We
can
see
it's
there,
but
one
of
the
things
that
we
can
do
now
is.
If
we
get
secrets
we
can
actually
see.
Oh
look,
here's
that
secret.
So
what
happens
is
the
controller
watches
for
any
sealed
secrets
and
then
decrypts
those
things
and
writes
out
regular
old
secrets?
So
now
I
can
go
through
and
I
can
get
secrets
my
secret.
A
A
Only
people,
with
with
permission
to
create
a
sealed
secret
in
the
in
the
right
name
space,
can
upload
that
and
then
only
with
people
that
have
access
to
read
secrets
from
that
namespace
or
start
pods
that
have
access
to
that
secret
are
allowed
to
actually
then
go
ahead
and
read
the
plain
text
to
the
secret.
So
if
I
were
a
different
user
that
weren't
admin
on
this
cluster,
I
wouldn't
be
able
to
read
this
secret
and
I
wouldn't
necessarily
be
able
to.
A
I
could
maybe
upload
it
to
the
wrong
name
space,
and
I
believe,
if
I
did
that,
then
the
the
the
the
controller
for
sealed
secrets
would
refuse
to
decrypt
it,
and
so
this
this
was
a
secure
way
to
get
the
secret
into
the
cluster.
But
once
it's
in
the
cluster,
it's
really
just
like
any
other
secret
that
you've
uploaded
to
the
cluster.
It
doesn't
actually
save
you
or
improve
security
once
things
are
in
the
cluster.
A
All
things
call
into
the
api
server
for
things
like
logs
for
things
like
these,
these
htv
things
it's
actually
one
of
the
few
cases
where
the
api
server
calls
out
to
the
cubelet,
it's
kind
of
an
exception
there,
but
it's
used
for
streaming
logs.
It's
used
for
for
things
like
this,
so
it's
a
little
bit
of
a
corner
case
that
I
think
if
we
had
to
do
kubernetes
over
again,
I'm
not
sure
how
we'd
fit
how
we'd?
A
So
steve
says
the
controller
is
globally
scoped
in
terms
of
access
to
sealed
secrets
by
default
from
memory
yeah.
I
think
the
controller
will
look
at
everything,
but
I
believe
and
marco
correct
me
if
I'm
wrong-
and
I
think
this
is
one
of
the
advanced
features
that
we
can
get
to-
that
when
you
actually
seal
a
secret,
you
can
seal
it
for
a
specific
name
space
or
you
can
actually
seal
it
across
the
cluster
and
I
think
that's
something
that's
worth
getting
into
so
there
we
go.
A
So
some
of
the
sort
of
the
next
things
that
we
want
to
actually
start
talking
about
here.
So
I
want
to
understand
this
template
thing,
but
like
things
that
I
want
to
investigate
with
the
rest
of
tgik,
what
is
certificate
rotation?
Your
secret
rotation
looks
like
what
are
the
different
types
of
rotation
and
how
do
those
work?
How
would
we
actually
make
this
work
across
multiple
clusters?
Can
I
actually
have
one
secret
that
I
can
actually
deploy
to
multiple
clusters?
A
A
The
previous
example
only
focus
on
encrypted
secret
items
themselves,
but
the
relationship
between
sealed
secret
custom
secret
and
says
similar
in
many
ways
to
the
deployment
and
pod
in
particular,
the
annotation
labels
of
a
sealed
secret
resource
are
not
the
same
as
the
annotations
of
the
secrets.
Okay,
I
get
it
so
this
is
like
what
are
the
things
that
we
want
to
actually
put
on
the
metadata,
what
is
sort
of
the
the
metadata
template
of
the
secret
that
we're
going
ahead
and
creating?
A
A
A
A
A
A
Boom,
so
now
what
we
did
is
we
sealed
the
secret
without
actually
having
access
to
the
cluster,
and
so
that's
that's.
An
important
thing
is
that
you
may
actually
have
situations
where
you
want
to
see
all
the
the
the
oh
I
could.
I
could
pass
dash
and
default
to
the
cubeseal
also,
but
you
may
have
situations
who
weren't
a
seal:
the
secret,
where
you
know
you
don't
have
immediate
access
to
the
cluster.
So
that's
a
useful
thing
to
know
there.
A
A
So
now,
I'm
going
to
look
at
my
sealed
secret
and
I'm
going
to
be
like
I'm
a
hacker
I
want
to
go
through,
and
I
want
to
change
the
name
space
here
to
test
instead
of
default
and
I'm
like
well,
I
got
access
to
this.
I
have
access
to
the
test
namespace
on
this
cluster,
but
I
don't
have
access
to
the
default
namespace.
Now
I
can
do
a
cubecontrol
dash
n
test
apply
dash
f,
my
field
secret.json
that
went
ahead
and
created
it.
A
But
that's,
I
believe,
where
the
sk,
the
scope
feature
comes
in
so
now
we
can
go
through
and
we
can
say
strict
and
this
is.
It
must
be
sealed
with
exactly
the
same
name
and
namespace,
but
we
can
actually
change
this
so
that
it
can
actually
be
cluster-wide,
and
so
now
let's
go
through
and
actually
let's
seal
the
secret
again.
A
A
A
A
So
now
it
got
deployed
here
now.
If
I
do
a
get
now,
you
can
look
and
see
that
oh,
it
went
ahead
and
actually
decrypted
it
for
me
and
so
yeah.
So
you
get
the
choice
of
whether
you
want
to
actually
seal
the
secret
just
for
a
very
specific
name
and
namespace,
whether
you
want
to
do
it
across
the
namespace,
where
you
can
rename
it
like.
A
Oh,
it's
raining
outside.
That's
really
good
news
for
the
air
quality,
I'm
very
excited!
So
that's
actually!
So
that's
a
that's
a
really
cool
feature
there
and
I
think
it
shows
you
that,
like
I'm
sure
over
time
the
whole
subtleties
around
namespace
name,
specific
versus
cluster
wide
a
lot
of
folks
have
sort
of
hit
their
heads
against
that,
I'm
I'm
sure,
okay
yeah
mark.
This
is
really
interesting.
The
annotation
gets
put
in
the
template
so
that
it
actually
gets
copied
into
the
decrypted
secret
so
that
you
can
actually
round
trip
this.
A
So
if
you
actually
go
ahead
and
pull
it,
you
can
actually
change
it
and
then
re-encrypt
it
without
actually
losing
some
of
that
metadata
yeah.
So
that's
actually
really
cool.
So
that's
a
that's
a
sort
of
reality
of
this
that
round-tripping
and
keeping
making
sure
that
these
parameters
are
round-tripped
with
it
that
I
I
hadn't
really
understood
before.
So
that's
really
cool
to
to
see
how
that
works
all
right.
So
that
is
the
way
that
this
stuff
works
very,
very
cool
now.
A
Okay,
marco
says:
the
main
problem
is
that
the
error
messages
are
currently
crap
like
there
is
no
way
to
get
feedback
that
hey.
You
know,
I
wasn't.
I
didn't
decrypt
this
because
it
was
only
to
you
know
you
were
using
it
on
the
wrong
name
space,
something
like
that
yeah.
The
way
I
would
do
that
is,
I
would
have
like
a
condition
in
the
status
of
the
sealed
secret.
That
would
be
the
probably
the
right
way
to
deal
with
that,
all
right,
so
key
rotation.
A
A
The
second
thing
that
we
want
to
worry
about
rotating
is
the
secrets
yourself
right
so,
like
you
know
any
secrets
that
you're
putting
in
there,
you
probably
want
to
go
ahead
and
rotate
those
things
sealed
secret
cannot
rotate
your
secrets.
What
sealed
secrets
can
do
is
actually
rotate
the
key
that
it
uses
and
by
default,
that
happens
every
30
days,
and
what
happens
is
that
when
it
actually
happens
every
30
days,
the
sealed
secret
controller
will
go
ahead
and
create
a
new
secret.
A
A
new
key
value,
public
key
private
key
pair
it'll
keep
the
old
private
keys,
but
it'll
only
then
serve
up
the
latest
version
and
correct
me.
If
I'm
on
marco
it'll
only
serve
up
the
latest
public
key,
and
so
that
means
that
at
that
point,
when
the
the
the
controller
does
this
a
key
rotation,
all
secrets
encoded
after
that
point,
will
go
ahead
and
be
encoded
with
the
new
key,
but
all
secrets
that
you
were
sealed
beforehand
that
are
now
checked
into
git.
That
may
be
six
months
old.
A
On
the
so
maddie's
asking,
how
does
it
maintain
mappings?
My
guess
is
that
there
may
be
a
key
id,
that's
encoded
in
the
in
the
sealed
secret
or
it
just
tries
them
all
and
sees
which
one
works
right.
Let's
think
at
some
point,
like
you
know
there,
there's
that
might
be
something
that
works.
Also,
I'd
I'd
be
interested
to
know
whether
there's
actually
a
key
id
that
ends
up
being
getting
used
as
part
of
this
okay,
so
we
can
do
date,
dash
r,
that's
the
current
date.
A
A
Now
what
we
see
is-
and
I
don't
know
but
like
the
certificate
here-
I
think-
is
probably
a
new
certificate
and
but
this
key
is
probably
includes
both
keys,
I
believe-
or
maybe
let's
actually,
let
me
see
here-
secrets
yeah,
so
it
now
has
a
secret,
but
my
guess
is
that
the
private
key
is
actually
now
contains
multiple
private
keys,
all
the
old
private
keys
too,
and
so
I
mean
we
can
go
through,
and
let's
do
this
I'll
grab
this.
It
will
do
pb
paste
base
64-d.
A
A
A
A
I
would
expect
that
this
would
actually
create
a
new,
a
new
one,
so
like
what
I
was
doing
is
the
early
key
renewal.
The
key
can
be
generated
early
by
passing
the
current
timestamp
to
the
controller
into
a
flag
called
key
cutoff
time
so
should
be
seems,
correct,
okay,
but
yet
here
we
are,
let
me
go
through
and
let's
do.
A
A
A
We
can
find
that
these
things
are
now
different
because
oh
well,
one
of
them
was
cluster
wide
and
one
of
them
wasn't
but
like,
but
the.
But
it's
actually
now
using
that
new
certificate
that
it
actually
grabbed
down
from
the
cluster,
and
so
we
can
go
through
and
yeah.
There
would
have
been
different.
Oh
does
it
actually
put
a
time
stamp
in
there,
so
they
would
have
been
different.
Anyways,
okay,
my
cert.
A
So
that's
the
way
that
you,
you
rotate
it
but
again
sort
of
like
we
can
still
have.
You
can
have
a
whole
bunch
of
secrets
that
are
now
encoded
with
the
old
secret,
and
so
that's
something
that
you
actually
want
to
be
able
to
to
to
be
aware
of,
and
so
a
couple
of
things
that
you
want
to
do
for
good
hygiene
as
you
use
these
systems
over
time
every
once
in
a
while.
A
A
Steve's
saying
that
they
auto
they
automated
in
metal
encrypted
the
same
clear
that
creates
two
different
type:
it's
not
it
uses
a
non.
Oh
there's
a
nonce
in
it,
okay,
cool
and
so
there's
a
re-encrypt
which
is
essentially
says,
use
the
re-encrypt,
the
given
sealed
secret
to
use
the
latest
cluster.
So
how
does
that
work?
I.
A
Wonder
so
maddie's
asking
about
the
private
keys
for
the
life
of
the
clusters
yeah.
So
the
first
thing
you
want
to
do
is
you
want
to
automate?
You
want
to
actually
re-encrypt
this
stuff
here.
So
let's
go
ahead
and
do
this
so
we're
going
to
go
through
and
we're
going
to
do
re-encrypt.
My
sealed!
Well,
that's
wrong!
Okay!
So
we're
gonna
do
re-encrypt.
A
Oh
look
at
that.
It's
duffy,
hey,
how's,
it
going
duffy,
so
this
is
really
cool.
So
what
it
does
is
that
when
you
do
this
rotation,
you
want
to
do
the
rotation
on
a
sealed
secret,
but
you
don't
want
to
necessarily
see
ever
see
the
private
key
and
you
may
actually
only
have
the
crypto
text
and
so
the
way
the
rotation
does.
Is
it
actually
uses
that
same
mechanism
to
talk
to
the
controller
and
calls
a
different
endpoint
on
that
controller?
Saying
rotate
it?
A
And
so,
when
you
rotate
it,
you
send
it
one
sealed
secret
and
it
sends
you
back
a
new
re-encrypted
version
of
that,
and
so
this
actually
uses
this
so
that
you
actually
never
see
the
private
key.
And
so
this
is
great
because
you
can
do
a
whole
bunch
of
workflow
here
with
never
actually
seen
the
private
key.
A
So
that's
pretty
cool
yeah.
So
right
only
that's
super
cool
okay,
so
you-
and
so
so
good
hygiene
is
like
once
in
a
while
once
a
month
once
every
couple
of
months.
You
want
to
go
through
and
do
this
re-encrypt
or
better.
Yet
you
want
to
rotate
your
secrets
right
because
you
shouldn't
be
using
any
passwords
over
the
long
term
anyways.
But
you
know
oftentimes,
those
secrets
are
manual
and
you
don't
want
you
know
and
rotating
them
as
a
pain.
A
So
you
should
at
least
make
sure
that
you're
using
the
latest
certificate
from
sealed
secrets
and
then
the
question
that
that
lamati
had
which
is
like
hey.
Does
it
keep
these
things
around
forever?
And
the
answer
is
yes,
it
does
and
so
like
when
we
went
through
and
we
actually
looked
at
see,
get
secrets.
A
It
would
be
useful,
I
think,
to
to
be
able
to
do
an
audit
to
actually
say.
Are
there
any
sealed
secrets
in
my
cluster
that
are
encrypted
with
a
secret,
that's
more
than
like,
say
six
months
old?
So
I
think
I
could
see
some
mechanisms
for
being
able
to
say:
hey.
Does
my
cluster
have
a
clean
bill
of
health?
Is
it
safe
for
me
to
actually
delete
and
garbage
collect
this
stuff?
That
would
actually
be
be
something
that
would
be
useful
here.
A
A
A
Oh,
this
is
weird
okay
ceiling,
key
with
anything
other
than
active
all
right.
Well,
let's
get
into
that
we'll
go
ahead
and
look
at
that.
Okay,
so
what
we
have
here
is
we
have.
This
is
the
new
secret
that
I
just
created:
okay
and
so,
and
let's
make
sure
that
cube
seal
oh
and
then
move
temp
dot
jason
to
my
sealed
seagra.json.
So
now
this
is
actually
signed
with
the
new
key.
A
Okay
and
then
we
can
do
cube
control,
get
secrets
all
right.
So
we
got
this
up
and
running.
It's
been
there
for
a
while.
Nothing
has
changed,
and
then
marco
says:
okay,
you
you
need
to
manually
kick
the
sealed
secret
pod
when
you
copy
around
private
keys.
Okay,
yeah!
That's
going
to
be
another
issue.
A
I
should
get
on
that
ceiling.
Key
ceiling,
key
dot,
json,
okay.
So
now
we
have
the
ceiling
key
dot
json.
This
is
literally
the
keys
to
the
kingdom
right
here,
so
you
do
not
want
to
check
this
one
in
do
not
check
it.
In
so
steve,
says:
sealed
secrets
is
painful
unless
you
actually
do
that
yeah.
Okay!
So
now
I
have
another
cluster
here.
A
So
this
is
a
kind
cluster
that
we
haven't
done
anything
with
already
I'm
gonna
do
a
q,
a
cube
control,
apply,
dash
f,
I'm
going
to
actually
deploy
the
controller
here
and-
and
this
thing
is
up
and
running,
cube
control,
cube
system
get
pods
and
you
can
see
that
it's
been
running
for
12
seconds
again.
This
is
cluster
two,
I
don't
know
if
you
can
see
up
in
the
corner
here
we
have
kind
two
versus
kind
one.
A
A
It's
cluster
wide,
so
it
should
be
fine,
okay,
all
right,
so
that
created
it's
fine,
yeah,
hey,
no
problems,
cube
control,
get
secrets,
but
it
hasn't
decrypted
it
because
literally
this
cluster
can't
decrypt
it.
It
does
not
have
the
private
key
to
decrypt
that
that
particular
secret.
So
let's
give
it
that
private
key
so
that
it
can
go
ahead
and
actually
decrypt
that
secret.
So
if
we
go
through,
we
have
our
ceiling
key
here,
and-
and
here
you
can
see
this-
is
the
the
label
name
active
that
says
hey.
A
A
A
One
of
the
other
things
that
we
need
to
do
is
we
need
to
actually
go
through
and
actually
kick
the
the
controller
to
actually
have
it
go
through
and
update
and
the
way
I'm
gonna
do.
That
is
we
don't
need
it
anymore,
so
I'm
gonna
go
through
and
I'm
going
to
delete
that
cut
off
time
thing
that
I
added
earlier
so
now
when
I
apply
the
controller.
A
A
So
I
think
that
there's
you
know
another
place
where
I
think
it
would
be
cool
to
have
is
to
have
some
workflow
really
well
documented
for
how
you
actually
manage
ceiling
secrets
across
multiple
clusters
and
there
you
know
and
there's
there's
another
interesting
feature
here
would
be
like
being
able
to
actually
say
well.
This
particular
ceiling
secret
can
only
be
used
with
these
name
spaces.
I
don't
know,
I'm
wondering
what
the
scenario
would
be
there,
but
I
can
imagine
that
there
might
be
some
scenarios
that
would
actually
work
for
that.
A
So
that
is
that
is
really
cool,
because
I
think
that's
one
of
the
things
that's
like
hey.
This
works
great
in
one
cluster.
How
do
you
actually
start
dealing
with
it
anger
with
multiple
clusters,
and
so
one
answer
there
could
be
that
you
actually
have
multiple
sealed
secrets
based
on
which
cluster
you're
targeting,
but
the
other
answer
would
be
to
start
using
the
same
ceiling.
A
Key
across
multiple
clusters,
and
probably
as
you
did,
this
you'd
also
want
to
start
managing
the
certificate
that
you're
using
to
sign
it,
also
in
a
more
explicit
way.
So
you'd
probably
want
to
turn
off
the
rotation
that
happens
automatically
and
actually
manage
that
in
a
in
a
more
sort
of
explicit
way
across
cluster.
A
In
terms
of
when
you
update,
when
you
change
how
you
install
your
ceiling,
keys,
steve
says
that
we
have
that
set
up
for
pi
specific
name
spaces,
that
only
certain
people
can
create
secrets
for
okay,
very
cool
yeah,
and
so
I
think
you
know
one
of
the
things
that
I
think
would
be
interesting
in
cube
seal.
I
wonder
if,
if
it
supports
this
is,
can
you
create
a
ceiling
secret
from
cubeseal
without
actually
running
the
controller.
A
So
that
way,
if
you're
managing
this
stuff,
you
don't
have
to
sort
of
like
you
know
fuss
with
the
controller
to
create
a
secret
so
that
you
can
actually
go
through
and
then
have
this
stuff
use.
It
and
I
don't
know,
there's
the
recovery,
unsealed
decrypt,
a
sealed
secrets
file
obtained
from
standard
in
using
the
private
key
passed
in
with
recovery,
private
key,
okay,.
A
Re-Encrypt,
so
you
can
unscale
the
secret
manually
with
recovery,
but
I'm
wondering
like
is
there
so
I?
What
I
have
here
is
I
have
the
the
ceiling
key
right.
This
thing
here
that
what
I
did
is
I
manipulated
a
controller
to
automatically
create
one
of
these
things,
and
then
I
grabbed
it.
I'm
wondering
like
if
I
wanted
to
have
a
multi-cluster
flow,
where
the,
where
I
wanted
to
say,
hey
controller,
never
create
a
ceiling.
Key,
that's
going
to
be
managed
from
the
outside.
A
A
You
know
there's
this
idea
like
you'd,
have
one
primary
cluster
and
a
bunch
of
secondary
clusters.
But
could
you
actually
say?
Oh,
I
don't
have
a
primary
cluster.
I
actually
want
to
have
my
you
know:
command
line
tools,
a
manual
process
for
actually
managing
creating
that
that
might
be
something
that
would
be
interesting
for
that
flow,
but
very
cool.
So
hopefully
I
think
you
know
I'm
running
down
the
clock
here
and
I
think
we've
covered
a
lot
of
the
the
highlights
of
what
we
want
to
do
here.
A
So
a
couple
of
takeaways
here
is
you
know.
First
of
all,
sealed
secrets
is
not
a
replacement
for
encrypted
secrets
in
a
cluster.
You
know
it's
a
that's
one
thing
to
actually
be
aware
of:
it's
really
about
sealed
secrets.
Is
how
do
you
get
you
know?
How
do
you
manage
secrets
through
things
like
get
ops
separately
from?
How
do
you
manage
the
secrets
in
the
cluster
right?
It's
about
getting
things
into.
A
The
cluster
second
thing
is
that
rotating
the
the
the
the
ceiling
key
in
that
cluster
is
a
little
bit
of
an
advanced
procedure.
It'll
happen
automatically
for
you,
but
if
you
want
to
make
sure
that
you,
you
can
rotate
that
you
have
to
go
back
and
essentially
reseal
or
re-encrypt
all
of
your
secrets.
Now
you
should
be
rotating
all
your
secrets
regularly
anyways
and
they
would
get
the
benefit
of
resealing.
But
it's
something
to
be
aware
of.
A
What
are
your
thoughts
on
placing
sealed
secrets
in
git
and
allowing
flux,
argo
cd
to
pull
those
into
a
cluster
yeah?
That's
exactly!
The
type
of
thing
that
you
want
to
do
is
that
you
want
to
be
able
to
put
these
things
and
get
deploy
them
like
you
do
like
you,
deploy
everything
else,
but
know
that
you
know
they're
not
going
to
accidentally
be
published
to
github
in
a
way
that
anybody
and
their
brother
can
decrypt
them.
A
That
say
you
want
to
be
careful
about
even
controlling
your
ciphertext
and
so
they're
sort
of
like
what
is
reasonable
and
what
is
sort
of
the
compliance
and
the
regulations
and
the
the
different.
You
know
the
different
requirements
that
you
have
to
hue
to
so
sealed
secrets
is
secure
as
far
as
we
know.
A
As
far
as
the
public
key
cryptography
is
secure,
it's
still
worthwhile
to
think
about
protecting
the
ciphertext,
and
you
know,
and
and
there
are
going
to
be
environments
where
sealed
secrets
may
not
be
good
enough,
and
that's
just
something
that
you
have
to
know
your
environment.
You
have
to
know
what's
up
to
snuff,
and
you
have
to
be
careful
about
that
yeah.
So
marco
says,
with
respect
to
multiple
clusters.
One
big
feature
we're
working
on
is
to
support
kms
service
provided
by
major
cloud
providers.
Oh
that's
awesome!
A
So
now
the
ceiling
secret
is
not
actually
stored
in
the
cluster.
It's
something
that's
managed
by
some
external
service.
That's
actually
really
cool.
One
mo's
asking
was
storing
secrets
in
vault
covered
for
application
level
secrets.
No,
this
is
actually
something
that
would
be
separate
from
from
vault.
A
I
think
that
there
is,
you
know
I
would
be
interested
in
exploring
sort
of
the
interplay
between
how
things
work
with
vault,
where
you're
actually
having
the
secret
store,
someplace
else
and
you're
sort
of
bringing
them
into
your
workload
as
late
as
possible
versus
sealed
secrets,
and
are
there
ways
that
we
can
actually
sort
of
interplay
the
management
around
these
things,
so
very
cool
and
steve
says
this
is
what
eric
does
with
flux
and
sops.
He
links
his
blog
post
in
the
hack
md.
A
So
how
does
this
work
all
right?
So
this
looks
like
an
interesting
thing
to
look
at
so
you're,
using
something
like
create
key
with
a
kms
you're
using
flux
where
and
how
do
they
get
actually
decrypted?
Is
there
a
controller
that
does
this
or
you
leave
it
to
the
workload
to
actually
go
through
and
actually
decrypt?
It
is
that
the
idea.
A
A
A
So
flux,
maybe
does
flux,
actually
know
how
to
actually
deal
with
sops
directly
that'd
be
interesting,
okay,
cool!
Well,
that's
it
folks!
I'm
going
to
sign
off.
Let
me
switch
these
things
here.
Okay
and
so
moz
says
that
soft
has
nice
integration
with
customized
decrypt
secrets,
but
then
you
would
decrypt
them
on
the
way
to
the
cluster.
Okay,
I
get
it
so
you'd
be
doing
that
decryption
client
side
versus
server
side,
but
you
would
need
access
to
to
the
kms
provider
to
be
able
to
do
that
cool.
A
So
all
right
folks.
So
thank
you
for
joining
me.
This
was
a
a
little
bit
of
a
deep
dive
into
into
sealed
secrets,
something
that
I've
been
meaning
to
do
for
a
while,
because
I've
never
had
a
chance
to
actually
dig
into
this
level
of
detail,
so
really
cool
to
see
that
happening,
and
hopefully
this
is
useful
for
folks-
and
I
think
you
know,
understanding
the
different
pros
and
cons,
pluses
and
minuses
the
different
layers
of
security.
Here,
it's
complicated
stuff,
but
but
hopefully
you
know
we
have
the
right
tooling.
A
The
documentation
here
looks
great.
So
hopefully
this
is
something
that's
useful
and
you
all
can
start
applying
it
in
a
smart
way,
and
so
thank
you
for
joining
and
we
will
I'm
not
sure
who's
gonna
be
on
next
week.
Maybe
josh,
maybe
we'll
have
some
of
the
newer
folks
like
like
paul
and
who
was
who
did
it
last
week
I
wasn't
able
to
tune
in
it
was
paul
and-
and
I
haven't
met
her-
was
that
carla
who
was
helping
out
I'm
trying
to
remember
this?
A
Is
the
cora
cora,
paul
and
cora.
I
heard
they
did
a
great
job,
so
yeah,
so
maybe
it'll
be
paul
and
cora
next
week.
I
think
we
we
tend
to
play
by
play
by
air
and
see
who's
gonna
be
doing
this
week
to
week
but
tune
in
next
week.
I'm
sure
we're
gonna
have
something
exciting
from
one
of
us
and
thank
you
all
for
joining
us
and
have
a
great.