From e29bf3ef91cb5de6de449dd5392607724c1c90a2 Mon Sep 17 00:00:00 2001 From: Ryan D Date: Tue, 7 Mar 2023 23:19:20 +1100 Subject: [PATCH] Updated README.md to reflect latest functionality --- README.md | 69 ++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 58 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index d6a29ac..f478f47 100644 --- a/README.md +++ b/README.md @@ -36,9 +36,12 @@ spec: {{- end }} ``` -Note that Kubeseal Plus will fail if the first and last line do not match this exact template, and the remainder of the file does not parse as valid YAML. +Note that Kubeseal Plus will fail if the first and last line do not match this +exact template, and the remainder of the file does not parse as valid YAML. -__Usage__ +## Usage + +### Rotate Rotate secrets in an existing SealedSecret: @@ -46,28 +49,72 @@ Rotate secrets in an existing SealedSecret: kubesealplus rotate templates/secret-password.production.yaml` ``` -You'll be prompted to input secret values for each existing key; +You'll be prompted to input secret values for each existing key then confirm +before the file is written to; * Enter a value and press return (newline) to complete the value -* When a string literal is used, white space will be trimmed including leading - and trailing spaces, tabs, and newline characters (per Go's strings.TrimSpace) +* If you want to skip rotating some keys, don't enter anything for that key and + press return (newline) +* When a string literal is used as the value, white space will be trimmed + including leading and trailing spaces, tabs, and newline characters (per Go's + strings.TrimSpace) * Once all values are entered, you'll be asked to confirm that what you entered is correct -* Filename's will be auto-detected: if the string literal starts with / and then - resolves to a valid file, the contents of that file will be used as the value +* Filename's will be auto-detected: if the string literal resolves to a valid + file path, the contents of that file will be used as the value * File contents for a provided filename will be used exactly (including spaces) * To use a filename as a string literal, prefix that filename with a space, and the auto-detection will not run (as first char will not be `/`, and the leading space will be trimmed) -__Roadmap/Future Usage__ +### Config -Configure 'Kubeseal Plus keyserver' for `production` environment: +Configure the Sealed Secret public key/cert URL for the `production` +environment: ``` -kubesealplus config production keyserver https://production.example.com +kubesealplus config production cert https://production.example.com +``` + +Note that we will automatically append `/v1/cert.pem` as a suffix to this if it +is not present. + +## Sharing your Public Cert/Key + +Per the `config ... cert ...` usage instructions above, this tool can fetch the +public cert/key of +your Sealed Secrets deployment from a URL. + +Because Sealed Secrets will rotate this regularly, a simple way to make the +latest version available (if your cluster is using the Traefik ingress +controller with their CRDs) is to create an [IngressRoute](https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/) e.g.: + ``` +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +spec: + routes: + - match: Host(`example.com`) && (Method(`GET`) || Method(`HEAD`)) && Path(`/v1/cert.pem`) + kind: Rule + services: + - name: sealed-secrets-controller + namespace: kube-system + port: http +``` + +Please take caution with the above as it will potentially expose your Sealed +Secrets controller to the open internet. + +## Support for auth via Cloudflare Access + +Kubeseal Plus also supports automatically authenticating via Cloudflare Access +when fetching certificates from a URL protected by it. For example, you may +protect the IngressRoute (as outlined above) using Cloudflare Access. + +Under the hood this uses [cloudflared](https://github.com/cloudflare/cloudflared) +as a library, so it works the same as as the `cloudflared login` command +documented [here](https://developers.cloudflare.com/cloudflare-one/tutorials/cli/#authenticate-a-session-from-the-command-line). -__Further Information__ +## Further Information See: