Deploy the Sealed Secrets Operator

Safely encrypt your Kubernetes Secrets using the Sealed Secrets Operator. This guide walks you through installing the operator via Helm, fetching its public key, and sealing a Secret.

1. Add the Sealed-Secrets Helm Repository

Register the Bitnami Sealed Secrets chart and update your local repo cache:

helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm repo update

2. Install the Sealed-Secrets Chart

Choose between installing into the default namespace or a custom namespace.

3. Verify the Operator Pod

Confirm that the Sealed Secrets controller is running:

You should see a pod like my-release-sealed-secrets-controller-<id> in Running status.

4. Fetch the Controller’s Public Key

Download the operator’s certificate to seal Secrets locally. Replace <release-name> and <namespace> as needed:

kubeseal \
  --controller-name=my-release-sealed-secrets-controller \
  --controller-namespace=kube-system \
  --fetch-cert \
  > mycert.pem

5. Create and Seal a Secret

1. Generate a Kubernetes Secret manifest (client-side dry run):

   kubectl create secret generic secret-name \
     --from-literal=foo=bar \
     --dry-run=client \
     -o yaml \
     > secret.yaml
   

2. Seal the Secret using the fetched certificate:

   kubeseal \
     --format yaml \
     --cert mycert.pem \
     < secret.yaml \
     > mysealedsecret.yaml
   

3. Apply the SealedSecret to your cluster:

   kubectl apply -f mysealedsecret.yaml
   

6. Confirm Deployment

Ensure the Sealed Secrets Operator is still running after sealing:

Once verified, your Sealed Secrets Operator is ready to encrypt and manage Kubernetes Secrets securely!

Links and References

• Sealed-Secrets GitHub
• Helm Documentation
• kubectl Reference