Deploy the Sealed Secrets Operator⚓︎

This guide explains how to install the Sealed Secrets Operator using Helm and securely manage Kubernetes Secrets.

Safely encrypt your Kubernetes Secrets using the Sealed Secrets Operator. This guide walks you through installing the operator via Helm, fetching its public key, and sealing a Secret.

1. Add the Sealed-Secrets Helm Repository⚓︎

Register the Bitnami Sealed Secrets chart and update your local repo cache:

helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm repo update

2. Install the Sealed-Secrets Chart⚓︎

Choose between installing into the default namespace or a custom namespace.

3. Verify the Operator Pod⚓︎

Confirm that the Sealed Secrets controller is running:

You should see a pod like my-release-sealed-secrets-controller-<id> in Running status.

4. Fetch the Controller’s Public Key⚓︎

Download the operator’s certificate to seal Secrets locally. Replace <release-name> and <namespace> as needed:

kubeseal \
  --controller-name=my-release-sealed-secrets-controller \
  --controller-namespace=kube-system \
  --fetch-cert \
  > mycert.pem

5. Create and Seal a Secret⚓︎

1. Generate a Kubernetes Secret manifest (client-side dry run):

   kubectl create secret generic secret-name \
     --from-literal=foo=bar \
     --dry-run=client \
     -o yaml \
     > secret.yaml
   

2. Seal the Secret using the fetched certificate:

   kubeseal \
     --format yaml \
     --cert mycert.pem \
     < secret.yaml \
     > mysealedsecret.yaml
   

3. Apply the SealedSecret to your cluster:

   kubectl apply -f mysealedsecret.yaml
   

6. Confirm Deployment⚓︎

Ensure the Sealed Secrets Operator is still running after sealing:

Once verified, your Sealed Secrets Operator is ready to encrypt and manage Kubernetes Secrets securely!

Links and References⚓︎

• Sealed-Secrets GitHub
• Helm Documentation
• kubectl Reference