Introduction to Sealed Secrets in Kubernetes
Sealed Secrets Fundamentals
Encrypting Secret
In this guide, you'll learn how to use the Bitnami Sealed Secrets controller to safely encrypt a Kubernetes Secret
manifest. Sealed Secrets allow you to store encrypted secrets in Git repositories without exposing sensitive data.
Prerequisites
- A running Kubernetes cluster
kubectl
configured to communicate with your cluster- Sealed Secrets controller deployed (e.g., via Helm or
kubectl apply
) kubeseal
CLI installed locally
Note
Ensure the kubeseal
client version matches your controller version. Mismatched versions can lead to encryption or decryption errors.
Step 1: Prepare Your Secret Manifest
Create a file named secret.yaml
containing your sensitive data in Kubernetes Secret
format:
apiVersion: v1
kind: Secret
metadata:
name: database
namespace: default
type: Opaque
data:
DB_PASSWORD: cGFzc3dvcmQ= # base64-encoded string
Step 2: Encrypt the Secret
Run the following command to generate a SealedSecret
resource from your secret.yaml
. The encrypted output is written to sealed-secret.yaml
:
kubeseal \
--controller-name my-release-sealed-secrets \
--controller-namespace kube-system \
--format yaml \
< secret.yaml \
> sealed-secret.yaml
Flag Reference
Flag | Description | Example |
---|---|---|
--controller-name | Name of the Sealed Secrets controller release | my-release-sealed-secrets |
--controller-namespace | Namespace where the controller is running | kube-system |
--format | Output format (yaml or json) | yaml |
< secret.yaml | Reads your original Kubernetes Secret manifest | — |
> sealed-secret.yaml | Writes the encrypted SealedSecret to a new file | — |
Step 3: Review the SealedSecret
Open sealed-secret.yaml
to verify its contents. It should look similar to this:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: database
namespace: default
spec:
encryptedData:
DB_PASSWORD: AgAKG7A3zkILGotJJq+...Tb
The encryptedData
field contains the fully encrypted payload. Since this data is encrypted with the controller’s public key, it’s safe to commit to version control.
Warning
Do not include the original secret.yaml
in your Git repository. Only commit the generated sealed-secret.yaml
.
Next Steps
- Apply the SealedSecret to your cluster:
kubectl apply -f sealed-secret.yaml
- Verify that the controller has created the unsealed
Secret
:kubectl get secret database -n default -o yaml
- Reference the
Secret
in your Deployment or Pod specs as usual.
Links and References
Watch Video
Watch video content