Additional steps for the environment sealed secret contract

For the contract with the env sealed secret, perform the following additional steps:

1. Generate a public-private key pair for encrypting your sealed secret.
   1. Generate a private key to decrypt your sealed secrets:

      openssl genrsa -out decryption-key.pem 2048

   2. Check the private key by running the following command:

      cat decryption-key.pem

      Example output

      -----BEGIN PRIVATE KEY-----
      BASE64DATA== <base64-encoded data>
      -----END PRIVATE KEY-----

   3. Extract the encryption public key from the decryption private key to encrypt your sealed secret:

      openssl rsa -in decryption-key.pem -pubout > encryption-key.pub

   4. Check the public key by running the following command:

      cat encryption-key.pub

      Example output

      -----BEGIN PUBLIC KEY-----
      BASE64DATA== <base64-encoded data>
      -----END PUBLIC KEY-----

      You must encrypt the Contract when it contains a private key for decrypting sealed secrets, as the private key used for decryption is added to the contract.

2. Generate a public-private key pair for signing your sealed secrets.
   1. Generate a private key to sign your sealed secret:

      openssl genrsa -out signing-key.pem 2048

   2. Extract the public key you will use to verify your sealed secrets from the public key for signing:

      openssl rsa -in signing-key.pem -pubout > verification-key.pub

3. Copy sealed secret client binary file to the working directory according to the following example:

   cp ibm-ccco-sealed-secret-creator-client-v1.2.1-linux-s390x ContractDirectory

   Note: Ensure that you use the secret client binary file that matches your system architecture (arm64 or amd64).
4. Encrypt and sign the text you want to store as a sealed secret and save the sealed secret in the environment variable SEALED_SECRET:

   export SEALED_SECRET=$(./ibm-ccco-sealed-secret-creator-client-v1.2.1-linux-s390x --secret cccosecret --encryption-key encryption-key.pub --signing-key signing-key.pem --env-secret)

   Note: Here, cccosecret is the secret that needs to be sealed.
5. View SEALED_SECRET:

   echo $SEALED_SECRET

   Example output

   sealed.<sealed_key_name> 

   Note: The sealed secret text string should start with the prefix sealed, followed by a . and three strings of base64 characters separated by ..
6. Create a sealed-secret-spoiler.yaml file according to the following example:

   cat <<EOF > sealed-secret-spoiler.yaml
   apiVersion: v1
   kind: Secret
   metadata:
       name: spoiler
       namespace: default
   stringData:
       SPOILER: ${SEALED_SECRET}
   EOF

7. Apply the sealed secret resource to the cluster by running the following command:

   oc apply -f sealed-secret-spoiler.yaml

8. Export the following environment variables to be substituted into your unsigned and unencrypted contract's env section:

   export SECRET_VERIFICATION_KEY=$(cat verification-key.pub | tr '\n' '\\' | sed s/\\\\/\\\\n/g)

   export SECRET_DECRYPTION_KEY=$(cat decryption-key.pem | tr '\n' '\\' | sed s/\\\\/\\\\n/g)

9. Continue with Step 5 from Creating the environment section of the contract section.