Skip to content

Sealed Secrets

The sealed-secrets controller will automatically generate a public+private keypair for each cluster that will be used to encrypt and decrypt secrets.

After any new cluster is provisioned, the generated keypair should be backed up externally (i.e. to a shared VaultWarden/BitWarden collection). With the keypair backed up, secrets can be decrypted locally or restored to a new cluster in the future.

Back up generated keys

From the sealed-secrets README.md:

kubectl get secret \
    -n sealed-secrets \
    -l sealedsecrets.bitnami.com/sealed-secrets-key \
    -o yaml \
> cluster-sealed-secrets-master.key

Sensitive data!

Be sure to keep this file secure and delete from your working directory after uploading it to a secure credentials vault for backup.

Do not commit this file to source control

Expose the public certificate

The controller serves its public certificate at /v1/cert.pem, which local kubeseal clients can fetch instead of pulling it from the cluster each time. Expose it through the Gateway API — see Exposing services for the full pattern and the ownership split.

Provide a Gateway and an HTTPRoute (leave the chart’s own ingress disabled):

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: sealed-secrets
  namespace: sealed-secrets
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  gatewayClassName: eg
  listeners:
    - name: https
      protocol: HTTPS
      port: 443
      hostname: sealed-secrets.live.k8s.phl.io
      tls:
        mode: Terminate
        certificateRefs:
          - name: sealed-secrets-gw-tls
      allowedRoutes:
        namespaces:
          from: Same
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: sealed-secrets
  namespace: sealed-secrets
spec:
  parentRefs:
    - name: sealed-secrets
  rules:
    # Only the public cert is served — not the whole controller surface.
    - matches:
        - path: { type: Exact, value: /v1/cert.pem }
      backendRefs:
        - name: sealed-secrets
          port: 8080

Once deployed, local kubeseal clients can be configured to use it by setting the SEALED_SECRETS_CERT environment variable:

export SEALED_SECRETS_CERT=https://sealed-secrets.live.k8s.phl.io/v1/cert.pem