The Easiest Way To Work With K8S Secrets

Another way to work with Kubernetes secrets, the GitOps way!

3 min read

Read Time

January 24, 2025

Published On

In my previous post I wrote about how to safely commit Kubernetes secrets to a Git repository service. Just a little recap. Kubernetes secrets are merely encoded, which is different from encrypted. This means that you really don't want to be committing Kubernetes secrets (as-is) to a Git repository service.

Fortunately, there are ways to do this, since we ideally want to have all of our code in one place. One of those ways is using SOPS and age, which I have shared in my previous post.

In this post I want to share another way to do this, and that is using SealedSecrets.

For this we need to install the Bitnami Sealed secrets controller on the Kubernetes cluster. We can install the controller using helm:

helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm repo update
helm install sealed-secrets-controller sealed-secrets/sealed-secrets

The controller's job is to decrypt encrypted secrets, so that it can be used in your applications. And since the secrets are encrypted, you can safely commit those to a Git repository service.

Now all we need to do is encrypt the secret. Well, this should obviously happen before we decrypt the secret, but we can use Kubeseal to encrypt Kubernetes secrets. You can download and follow the installation steps from here or see below if you're using Brew:

So if you're using brew, then you can simply run the following command:

brew install kubeseal

This will install the kubeseal client. Next, you will need to install the SealedSecret CRD and server-side controller in the kube-system namespace by running this command:

kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.28.0/controller.yaml

And this essentially all you need to do.

Now if you want to encrypt your Kubernetes secret, you can output an existing secret to yaml and run the following command:

kubeseal < secret-encoded.yaml > secret-encrypted.yaml

Alternatively you also create a new secret (dry-run to yaml), then encrypt it using kubeseal, and then apply it using kubectl apply. However, since we want to follow the GitOps way, we can safely commit the encrypted secret.yaml to a Git repository service, which will be picked up by the GitOps Agent (e.g. ArgoCD), and then decrypted by the Sealed Secrets Controller.

And there you have it. Another way to work with Kubernetes secrets, the GitOps way!

tutorial kubernetes secrets gitops