Secret manifest. Sealed Secrets allow you to store encrypted secrets in Git repositories without exposing sensitive data.
Prerequisites
- A running Kubernetes cluster
kubectlconfigured to communicate with your cluster- Sealed Secrets controller deployed (e.g., via Helm or
kubectl apply) kubesealCLI installed locally
Ensure the
kubeseal client version matches your controller version. Mismatched versions can lead to encryption or decryption errors.Step 1: Prepare Your Secret Manifest
Create a file namedsecret.yaml containing your sensitive data in Kubernetes Secret format:
Step 2: Encrypt the Secret
Run the following command to generate aSealedSecret resource from your secret.yaml. The encrypted output is written to sealed-secret.yaml:
Flag Reference
| Flag | Description | Example |
|---|---|---|
--controller-name | Name of the Sealed Secrets controller release | my-release-sealed-secrets |
--controller-namespace | Namespace where the controller is running | kube-system |
--format | Output format (yaml or json) | yaml |
< secret.yaml | Reads your original Kubernetes Secret manifest | — |
> sealed-secret.yaml | Writes the encrypted SealedSecret to a new file | — |
Step 3: Review the SealedSecret
Opensealed-secret.yaml to verify its contents. It should look similar to this:
encryptedData field contains the fully encrypted payload. Since this data is encrypted with the controller’s public key, it’s safe to commit to version control.
Do not include the original
secret.yaml in your Git repository. Only commit the generated sealed-secret.yaml.Next Steps
- Apply the SealedSecret to your cluster:
- Verify that the controller has created the unsealed
Secret: - Reference the
Secretin your Deployment or Pod specs as usual.