Additional steps for the workload sealed secret contract

Edit online

For the contract with the workload sealed secret, perform the following additional steps:

  1. Generate a public-private key pair for encrypting your sealed secret.
    1. Generate a private key to decrypt your sealed secrets:
      openssl genrsa -out decryption-key.pem 2048
    2. Check the private key by running the following command:
      cat decryption-key.pem
      Example output
      -----BEGIN PRIVATE KEY-----
BASE64DATA== <base64-encoded data>
-----END PRIVATE KEY-----
    3. Extract the encryption public key from the decryption private key to encrypt your sealed secret:
      openssl rsa -in decryption-key.pem -pubout > encryption-key.pub
    4. Check the public key by running the following command:
      cat encryption-key.pub
      Example output
      -----BEGIN PUBLIC KEY-----
BASE64DATA== <base64-encoded data>
-----END PUBLIC KEY-----

      You must encrypt the Contract when it contains a private key for decrypting sealed secrets, as the private key used for decryption is added to the contract.

  2. Generate a public-private key pair for signing your sealed secrets.
    1. Generate a private key to sign your sealed secret:
      openssl genrsa -out signing-key.pem 2048
    2. Extract the public key you will use to verify your sealed secrets from the public key for signing:
      openssl rsa -in signing-key.pem -pubout > verification-key.pub
  3. Copy sealed secret client binary file to the working directory according to the following example:
    cp ibm-ccco-sealed-secret-creator-client-v1.2.1-linux-s390x ContractDirectory
    Note: Ensure that you use the secret client binary file that matches your system architecture (arm64 or amd64).
  4. Encrypt and sign the text you want to store as a sealed secret and save the sealed secret in the environment variable SEALED_SECRET:
    export SEALED_SECRET=$(./ibm-ccco-sealed-secret-creator-client-v1.2.1-linux-s390x --secret cccosecret --encryption-key encryption-key.pub --signing-key signing-key.pem --workload-secret)
    Note: Here, cccosecret is the secret that needs to be sealed.
  5. View SEALED_SECRET:
    echo $SEALED_SECRET
    Example output
    sealed.<sealed_key_name>
    Note: The sealed secret text string should start with the prefix sealed, followed by a . and three strings of base64 characters separated by ..
  6. Create a sealed-secret-spoiler.yaml file according to the following example:
    cat <<EOF > sealed-secret-spoiler.yaml
apiVersion: v1
kind: Secret
metadata:
    name: spoiler
    namespace: default
stringData:
    SPOILER: ${SEALED_SECRET}
EOF
  7. Apply the sealed secret resource to the cluster by running the following command:
    oc apply -f sealed-secret-spoiler.yaml
  8. Export the following environment variables to be substituted into your unsigned and unencrypted contract's workload section:
    export SECRET_VERIFICATION_KEY=$(cat verification-key.pub | tr '\n' '\\' | sed s/\\\\/\\\\n/g)
    export SECRET_DECRYPTION_KEY=$(cat decryption-key.pem | tr '\n' '\\' | sed s/\\\\/\\\\n/g)
  9. Continue with Step 5 from Creating the workload section of the contract section.