Introduction to Sealed Secrets in Kubernetes
Sealed Secrets Fundamentals
Sealed Secrets and its Components
Sealed Secrets provides a secure, GitOps-friendly method for managing Kubernetes Secrets by encrypting them for safe storage in public repositories. With Sealed Secrets, you can commit encrypted manifests to GitHub without exposing sensitive data. Only your Kubernetes cluster—where the Sealed Secrets Operator is running—can decrypt these manifests back into native Secret objects.
Key Components
| Component | Role | Typical Usage |
|---|---|---|
| Sealed Secrets Operator | Cluster-side controller | Watches for SealedSecret CRs and converts them into standard Secrets |
| kubeseal CLI | Local or CI command-line utility | Encrypts plain Secret manifests into SealedSecret manifests |
| SealedSecret Custom Resource | CRD defining encrypted secret schema | Lets the Operator recognize and decrypt your encrypted payloads automatically |
Prerequisites
- A running Kubernetes cluster (v1.13+).
- The Sealed Secrets Operator installed:
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.23.0/controller.yaml - Public key accessible for
kubeseal:kubeseal --fetch-cert > public-cert.pem
Secure Your Keys
Always back up the private key used by the Sealed Secrets controller. Losing it means you won’t be able to decrypt existing SealedSecret resources.
GitOps Workflow for Encrypted Secrets
Define a Kubernetes Secret
Create a plainSecretmanifest (e.g.,db-credentials.yaml).Encrypt with kubeseal
kubeseal \ --format=yaml \ --cert=public-cert.pem \ < db-credentials.yaml \ > sealed-db-credentials.yamlCommit to Git
Push theSealedSecretmanifest (sealed-db-credentials.yaml) to your repository.Automatic Decryption
The Sealed Secrets Operator detects the newSealedSecret, decrypts it, and generates a standardSecretfor your pods to consume.
Links and References
Watch Video
Watch video content