Skip to main content

Documentation Index

Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt

Use this file to discover all available pages before exploring further.

In this guide, you’ll deploy the Bitnami Sealed Secrets controller using Flux CD and learn how to seal Kubernetes Secrets for safe Git storage. Follow the steps below to get started.

Prerequisites

  • A running Kubernetes cluster and configured kubectl context
  • Flux v2 installed (Flux CLI Install)
  • A Git repository (e.g., bb-app-source-git) with an infrastructure branch

1. Switch to the infrastructure branch

Always ensure your working directory is clean before switching branches.
cd bb-app-source-git
git checkout infrastructure
Expected output: 
Switched to branch 'infrastructure'
Your branch is up to date with 'origin/infrastructure'.

2. Define the Helm repository

Create a HelmRepository manifest under the bitnami-sealed-secrets directory to let Flux pull the Sealed Secrets charts. 
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: sealed-secrets
  namespace: flux-system
spec:
  interval: 24h
  url: https://bitnami-labs.github.io/sealed-secrets
Commit and push: 
git add bitnami-sealed-secrets/helmrepository.yaml
git commit -m "Add Bitnami Sealed Secrets HelmRepository"
git push

3. Create a Flux Kustomization

In your Flux cluster repo (for example, block-buster/flux-clusters/dev-cluster), scaffold a Kustomization that points to the Sealed Secrets path. 
cd ~/block-buster/flux-clusters/dev-cluster
flux create kustomization sealed-secrets \
  --source GitRepository/infra-source-git \
  --path "./bitnami-sealed-secrets" \
  --prune=true \
  --interval=1h \
  --export > sealed-secrets-kustomization.yaml
Commit and reconcile: 
git add sealed-secrets-kustomization.yaml
git commit -m "Add Sealed Secrets Kustomization"
git push

flux reconcile source git infra-source-git
flux reconcile kustomization sealed-secrets

4. Verify the Sealed Secrets controller

The controller is deployed in the kube-system namespace. Run: 
kubectl -n kube-system get all
You should see:
ResourceREADYSTATUSAGE
pod/sealed-secrets-controller-xxxxx1/1Running30s
service/sealed-secrets-controller30s
deployment.apps/sealed-secrets-controller1/1Running30s
replicaset.apps/sealed-secrets-controller1130s
A TLS Secret (kubernetes.io/tls) containing the controller’s key pair is also created in kube-system.

5. Install the kubeseal CLI

Download and install the latest kubeseal binary: 
VERSION="v0.19.5"
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/${VERSION}/kubeseal-${VERSION}-linux-amd64.tar.gz
tar -xzf kubeseal-${VERSION}-linux-amd64.tar.gz
sudo mv kubeseal /usr/local/bin/
Validate installation: 
kubeseal --version
Expected: 
kubeseal version: 0.19.5

6. Fetch the Sealed Secrets public certificate

You need the controller’s public key to seal secrets locally: 
kubeseal \
  --fetch-cert \
  --controller-name sealed-secrets-controller \
  --controller-namespace kube-system \
  > sealed-secrets.pub
This outputs sealed-secrets.pub, which you will use to encrypt your Kubernetes Secrets.

7. Seal and commit Kubernetes Secrets

  1. Create a plain Secret manifest (secret.yaml).
  2. Run: 
    kubeseal \
  --cert sealed-secrets.pub \
  < secret.yaml \
  > sealed-secret.yaml
  3. Review, commit, and push sealed-secret.yaml to your Git repo. Flux will apply it automatically.

Watch Video