Sealed Secrets

Sealed Secrets is a Kubernetes controller and client tool for encrypting Secrets into SealedSecret resources. It solves the problem of storing Kubernetes configuration in git while keeping Secrets protected. The encrypted SealedSecret can be stored in a public repository, and only the controller in the target cluster can decrypt it.

It uses asymmetric crypto, with a cluster-side controller or operator and the client-side kubeseal utility. It supports templates for secrets, scopes, patching existing secrets, validating a SealedSecret, raw mode, and re-encryption. The controller can also renew sealing keys and handle key rotation.

Sealed Secrets ships as a Helm chart and a controller, with kubeseal available through Homebrew, MacPorts, Nixpkgs, Linux, and source installation. The controller backs up its sealing keys so SealedSecrets can be decrypted offline with a backup key, and it installs in restricted environments without RBAC when the CRDs already exist.