$ wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.12.5/kubeseal-linux-amd64 $ chmod 755 kubeseal-linux-amd64 $ sudo mv kubeseal-linux-amd64 /usr/local/bin $ kubeseal --help Usage of kubeseal: --add_dir_header If true, adds the file directory to the header --allow-empty-data Allow empty data in the secret object --alsologtostderr log to standard error as well as files --as string Username to impersonate for the operation --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. --cert string Certificate / public key file/URL to use for encryption. Overrides --controller-* --certificate-authority string Path to a cert file for the certificate authority --client-certificate string Path to a client certificate file for TLS --client-key string Path to a client key file for TLS --cluster string The name of the kubeconfig cluster to use --context string The name of the kubeconfig context to use --controller-name string Name of sealed-secrets controller. (default "sealed-secrets-controller") --controller-namespace string Namespace of sealed-secrets controller. (default "kube-system") --fetch-cert Write certificate to stdout. Useful for later use with --cert -o, --format string Output format for sealed secret. Either json or yaml (default "json") --from-file strings (only with --raw) Secret items can be sourced from files. Pro-tip: you can use /dev/stdin to read pipe input. This flag tries to fol low the same syntax as in kubectl ...... $ kubeseal (tty detected: expecting json/yaml k8s resource in stdin) error: cannot fetch certificate: services "sealed-secrets-controller" not found
$ kubectl apply -f sealedsecret.yaml sealedsecret.bitnami.com/ithome-example created $ kubectl get SealedSecret NAME AGE ithome-example 12s $ kubectl get secret ithome-example NAME TYPE DATA AGE ithome-example kubernetes.io/dockerconfigjson 1 16s
現在來觀察產生出來的 secret 跟我們最原始的 secret 內容是否一致,主要觀察 data 內部的資料,可以發現 .dockerconfigjson 的編碼結果是完全一致的