Bitnami: Sealed Secrets

Sealed secrets allow us to put secrets directly into our github repository and manage deployments with flux.

The kubeseal binary is already installed as part of the bastion cloud-init file. It looks like the easiest way to use this is to run sealing steps on the bastion node where kubeseal has access the cluster kube-config.

Controller Installation

This installs the cluster side application that unseals secrets.

  1. mkidr aegaeon-cluster/sealed-secrets
  2. wget
  3. setup a kustomization.yaml
  4. check deployment with : kubectl get po -n kube-system


  1. Create your secret as a yaml.
  2. Update it with correct / raw information.
  3. Run kubeseal --scope cluster-wide -o yaml < secret.yaml > sealed-secret.yaml

These are the possible scopes:

  • strict (default): the secret must be sealed with exactly the same name and namespace. These attributes become part of the encrypted data and thus changing name and/or namespace would lead to “decryption error”.
  • namespace-wide: you can freely rename the sealed secret within a given namespace.
  • cluster-wide: the secret can be unsealed in any namespace and can be given any name.

You can check the SEALED SECRET into the repo directly.