Problem: "I can manage all my K8s config in git, except Secrets."
Solution: Encrypt your Secret into a SealedSecret, which is safe to store - even to a public repository. The SealedSecret can be decrypted only by the controller running in the target cluster and nobody else (not even the original author) is able to obtain the original Secret from the SealedSecret.
Uses k14s kapp Terraform provider to install sealed secrets.
Starts with the assumption that you have already provisioned a cluster.
./install-cli-{os}.sh
Replace
{os}with either:macosorlinux
cp terraform.tfvars.sample terraform.tfvars
Amend the values for
kubeconfig_path
./create-sealed-secrets.sh
See usage instructions here.
You'll need to have installed the CLI
For a simple test try executing
kubectl create secret generic mysecret --dry-run=client --from-literal=foo=bar -o json | kubeseal > mysecret.json
./destroy-sealed-secrets.sh