Dev_guideComponents

CoreAI

Sealed Secrets

Sealed Secrets documentation

Sealed Secrets

Description

Sealed Secrets is an open-source Kubernetes tool that encrypts sensitive data for secure storage in Git. It leverages public-key cryptography to ensure that secrets are only decrypted within the target Kubernetes cluster, enhancing security in CI/CD and GitOps pipelines. This functionality allows teams to adopt good secret management practices by keeping sensitive information encrypted while maintaining seamless deployment automation and operational efficiency. Sealed Secrets helps prevent accidental secret disclosure and supports controlled, flexible management across namespaces and clusters.

Uses and Functionnalities

  • Encrypts Kubernetes Secrets using asymmetric cryptography, ensuring secrets are stored in an encrypted form.

  • Allows storing encrypted secrets safely in version control systems like Git, preventing exposure of sensitive information.

  • Uses a public key to seal (encrypt) secrets outside the cluster and a private key within the cluster to decrypt them.

  • Implements a Kubernetes Custom Resource Definition (CRD) called SealedSecret to hold the encrypted secrets.

  • The Sealed Secrets controller runs inside the Kubernetes cluster and automatically decrypts SealedSecrets into standard Kubernetes Secrets.

  • Supports different scopes for decryption: strict (name and namespace-bound), namespace-wide (allows renaming in the same namespace), and cluster-wide (decrypted anywhere in the cluster).

  • Enables GitOps workflows by allowing encrypted secrets to live alongside other deployment manifests securely.

  • Ensures that even if the encrypted secrets are exposed in public or shared repositories, only the designated Kubernetes cluster can decrypt them.

  • Provides a CLI tool, kubeseal, for encrypting secrets offline using the cluster's public key.

  • Enhances security by eliminating the risk of base64-encoded secrets being easily decoded by unauthorized users.

CICD integration method

To enable Sealed Secrets, set the following variables in your main configuration file.

variable "sealed_secrets_config" {
  description = "Sealed Secrets"
  type = object({
    enabled      = bool
    namespace    = string
    version      = string
    release_name = string
  })
  default = {
    enabled      = true
    version      = "2.17.1"
    namespace    = "sealed-secrets"
    release_name = "sealed-secrets"
  }
}

API / Swagger

Releases

DateNum. VersionNum. ChartDescription

Official documentation

PgAdmin4 documentation

Reflector

Reflector documentation

Superset

Superset documentation

On this page

Sealed SecretsDescriptionUses and FunctionnalitiesCICD integration methodAPI / SwaggerReleasesOfficial documentation