Skip to content

Sealed Secrets

The sealed-secrets controller will automatically generate a public+private keypair for each cluster that will be used to encrypt and decrypt secrets.

After any new cluster is provisioned, the generated keypair should be backed up externally (i.e. to a shared VaultWarden/BitWarden collection). With the keypair backed up, secrets can be decrypted locally or restored to a new cluster in the future.

Back up generated keys

From the sealed-secrets README.md:

kubectl get secret \
    -n sealed-secrets \
    -l sealedsecrets.bitnami.com/sealed-secrets-key \
    -o yaml \
> cluster-sealed-secrets-master.key

Sensitive data!

Be sure to keep this file secure and delete from your working directory after uploading it to a secure credentials vault for backup.

Do not commit this file to source control

Enable ingress

The sealed-secrets helm chart includes an ingress that can be configured to provide a public URL to the cluster’s public certificate that can be used for local kubeseal client operations.

To enable the ingress, configure and deploy sealed-secrets/release-values.yaml:

ingress:
enabled: true
annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
    - sealed-secrets.sandbox.k8s.brigade.cloud
tls:
    - secretName: sealed-secrets-tls
    hosts:
        - sealed-secrets.sandbox.k8s.brigade.cloud

Once deployed, local kubeseal clients can be configured to use it by setting the SEALED_SECRETS_CERT environment variable:

export SEALED_SECRETS_CERT=https://sealed-secrets.sandbox.k8s.brigade.cloud/v1/cert.pem