Sealed Secrets
Overview
Sealed Secrets lets you commit encrypted secrets to Git. Only the Sealed Secrets controller can decrypt them.
Install Sealed Secrets Controller
# Add Helm repo
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm repo update
# Install controller
helm install sealed-secrets sealed-secrets/sealed-secrets \
--namespace kube-systemGet Public Key
# Download public key for encrypting secrets
kubeseal --fetch-cert \
--controller-name=sealed-secrets \
--controller-namespace=kube-system \
> pub-cert.pemCreate Encrypted Secret
# Create a sealed secret
kubeseal --cert=pub-cert.pem < my-secret.yaml > my-sealed-secret.yamlOriginal secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: my-app-secret
namespace: default
type: Opaque
stringData:
database-password: supersecretpassword
api-key: my-api-keySealed secret (git-safe)
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: my-app-secret
namespace: default
spec:
encryptedData:
database-password: AgA2M8GZHGqLdU4f...
api-key: AgB23M8HZJqmLhR5...Deploy Sealed Secret
# Apply to cluster (controller decrypts)
kubectl apply -f my-sealed-secret.yaml
# Verify decrypted secret exists
kubectl get secret my-app-secret -o yamlSecret Update Workflow
- Update original secret
- Re-seal with kubeseal
- Commit updated sealed secret to Git
- Sealed Secrets controller auto-updates
Benefits
- Commit secrets to Git safely
- RBAC controls who can decrypt
- Controller-only decryption
- No external dependencies
Limitations
- Need to re-seal when cluster changes
- Controller must be bootstrapped first
- Key rotation requires special handling