Aller au contenu

Sealed Secrets and its Components⚓︎

Sealed Secrets offers a secure method for managing Kubernetes Secrets by encrypting them for safe storage in public repositories.

Sealed Secrets provides a secure, GitOps-friendly method for managing Kubernetes Secrets by encrypting them for safe storage in public repositories. With Sealed Secrets, you can commit encrypted manifests to GitHub without exposing sensitive data. Only your Kubernetes cluster—where the Sealed Secrets Operator is running—can decrypt these manifests back into native Secret objects.

Key Components⚓︎

Component Role Typical Usage
Sealed Secrets Operator Cluster-side controller Watches for SealedSecret CRs and converts them into standard Secrets
kubeseal CLI Local or CI command-line utility Encrypts plain Secret manifests into SealedSecret manifests
SealedSecret Custom Resource CRD defining encrypted secret schema Lets the Operator recognize and decrypt your encrypted payloads automatically

Note

  • A running Kubernetes cluster (v1.13+).
  • The Sealed Secrets Operator installed: 
    kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.35.0/controller.yaml
  • Public key accessible for kubeseal: 
    kubeseal --fetch-cert > public-cert.pem

Warning

Always back up the private key used by the Sealed Secrets controller. Losing it means you won’t be able to decrypt existing SealedSecret resources.

GitOps Workflow for Encrypted Secrets⚓︎

  1. Define a Kubernetes Secret
    Create a plain Secret manifest (e.g., db-credentials.yaml).

  2. Encrypt with kubeseal 

    kubeseal \
  --format=yaml \
  --cert=public-cert.pem \
  < db-credentials.yaml \
  > sealed-db-credentials.yaml

  3. Commit to Git
    Push the SealedSecret manifest (sealed-db-credentials.yaml) to your repository.

  4. Automatic Decryption
    The Sealed Secrets Operator detects the new SealedSecret, decrypts it, and generates a standard Secret for your pods to consume.