This is a must-know skill for DevOps, GitOps, ArgoCD, Flux, and secure CI/CD workflows.
You will learn to:
β
Install Sealed Secrets controller
β
Create a Kubernetes Secret
β
Encrypt it into a SealedSecret (safe to commit to Git)
β
Apply the encrypted object
β
Verify the controller decrypts it back into a real Secret
Sealed Secrets = Git-safe encrypted secrets.
β οΈ Requirements
This scenario requires:
- Any Kubernetes cluster (GKE, EKS, AKS, Minikube)
- Access to install CRDs (cluster-admin recommended)
β Step 1 β Install the Sealed Secrets Controller (on Cluster)
Install using Helm (recommended):
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm install sealed-secrets-controller sealed-secrets/sealed-secrets \
--namespace kube-system
Verify:
kubectl -n kube-system get pods | grep sealed-secrets
You should see:
sealed-secrets-controller-xxxxx Running
β Step 2 β Install kubeseal CLI (local machine / Cloud Shell)
For Cloud Shell or Linux:
curl -L -O https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.32.2/kubeseal-0.32.2-linux-amd64.tar.gz
tar -xzvf kubeseal-0.32.2-linux-amd64.tar.gz kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal
Verify:
kubeseal --version
β Step 3 β Create a Secret (DO NOT APPLY)
Create a file:
#mysecret.yaml
apiVersion: v1
kind: Secret
metadata:
name: db-credentials
namespace: default
type: Opaque
data:
username: YWRtaW4=
password: U2VjdXJlMTIzIQ==
This YAML contains sensitive base64 values β NEVER commit this.
Now we will encrypt it.
β Step 4 β Encrypt Secret into SealedSecret
Run:
kubeseal --controller-namespace kube-system --format yaml \
< mysecret.yaml > mysealedsecret.yaml
Check output:
cat mysealedsecret.yaml
You will see something like:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: db-credentials
namespace: default
spec:
encryptedData:
password: AgDY72jkLJ8z...
username: AgJ80QKlhxn...
β Safe to store in Git
β Only decryptable by the controller running in your cluster
!3](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/mznguimzz4132dcpc76l.png)
β Step 5 β Apply the SealedSecret
kubectl apply -f mysealedsecret.yaml
The controller will automatically:
- Decrypt the sealed data
- Create the real Kubernetes Secret
Verify:
kubectl get secret db-credentials
You will see:
db-credentials Opaque 2 5s
β Step 6 β Check Decrypted Secret Values
Run:
kubectl get secret db-credentials -o jsonpath='{.data.username}' | base64 -d
Output:
admin
Check password:
kubectl get secret db-credentials -o jsonpath='{.data.password}' | base64 -d
Output:
Secure123!
β Decrypted successfully
β Exactly what you defined
β But the secret in Git is encrypted
π Thanks for reading! If this post added value, a like β€οΈ, follow, or share would encourage me to keep creating more content.
β Latchu | Senior DevOps & Cloud Engineer
βοΈ AWS | GCP | βΈοΈ Kubernetes | π Security | β‘ Automation
π Sharing hands-on guides, best practices & real-world cloud solutions
Top comments (0)