Introduction to Sealed Secrets in Kubernetes

Sealed Secrets Fundamentals

Encrypting Secret

In this guide, you'll learn how to use the Bitnami Sealed Secrets controller to safely encrypt a Kubernetes Secret manifest. Sealed Secrets allow you to store encrypted secrets in Git repositories without exposing sensitive data.

Prerequisites

  • A running Kubernetes cluster
  • kubectl configured to communicate with your cluster
  • Sealed Secrets controller deployed (e.g., via Helm or kubectl apply)
  • kubeseal CLI installed locally

Note

Ensure the kubeseal client version matches your controller version. Mismatched versions can lead to encryption or decryption errors.

Step 1: Prepare Your Secret Manifest

Create a file named secret.yaml containing your sensitive data in Kubernetes Secret format:

apiVersion: v1
kind: Secret
metadata:
  name: database
  namespace: default
type: Opaque
data:
  DB_PASSWORD: cGFzc3dvcmQ=  # base64-encoded string

Step 2: Encrypt the Secret

Run the following command to generate a SealedSecret resource from your secret.yaml. The encrypted output is written to sealed-secret.yaml:

kubeseal \
  --controller-name my-release-sealed-secrets \
  --controller-namespace kube-system \
  --format yaml \
  < secret.yaml \
  > sealed-secret.yaml

Flag Reference

FlagDescriptionExample
--controller-nameName of the Sealed Secrets controller releasemy-release-sealed-secrets
--controller-namespaceNamespace where the controller is runningkube-system
--formatOutput format (yaml or json)yaml
< secret.yamlReads your original Kubernetes Secret manifest
> sealed-secret.yamlWrites the encrypted SealedSecret to a new file

Step 3: Review the SealedSecret

Open sealed-secret.yaml to verify its contents. It should look similar to this:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: database
  namespace: default
spec:
  encryptedData:
    DB_PASSWORD: AgAKG7A3zkILGotJJq+...Tb

The encryptedData field contains the fully encrypted payload. Since this data is encrypted with the controller’s public key, it’s safe to commit to version control.

Warning

Do not include the original secret.yaml in your Git repository. Only commit the generated sealed-secret.yaml.

Next Steps

  1. Apply the SealedSecret to your cluster:
    kubectl apply -f sealed-secret.yaml
    
  2. Verify that the controller has created the unsealed Secret:
    kubectl get secret database -n default -o yaml
    
  3. Reference the Secret in your Deployment or Pod specs as usual.

Watch Video

Watch video content

Previous
Creating Kubernetes Secret