Skip to content

Sealed Secrets

The sealed-secrets controller will automatically generate a public+private keypair for each cluster that will be used to encrypt and decrypt secrets.

After any new cluster is provisioned, the generated keypair should be backed up externally (i.e. to a shared VaultWarden/BitWarden collection). With the keypair backed up, secrets can be decrypted locally or restored to a new cluster in the future.

Back up generated keys

From the sealed-secrets

kubectl get secret \
    -n sealed-secrets \
    -l \
    -o yaml \
> cluster-sealed-secrets-master.key

Sensitive data!

Be sure to keep this file secure and delete from your working directory after uploading it to a secure credentials vault for backup.

Do not commit this file to source control

Enable ingress

The sealed-secrets helm chart includes an ingress that can be configured to provide a public URL to the cluster’s public certificate that can be used for local kubeseal client operations.

To enable the ingress, configure and deploy sealed-secrets/release-values.yaml:

enabled: true
annotations: nginx letsencrypt-prod
    - secretName: sealed-secrets-tls

Once deployed, local kubeseal clients can be configured to use it by setting the SEALED_SECRETS_CERT environment variable: