"Sealed Secrets" for Kubernetes
Sealed Secrets provides declarative Kubernetes Secret Management in a secure way. Since the Sealed Secrets are encrypted, they can be safely stored in a code repository. This enables an easy to implement GitOps flow that is very popular among the OSS community.
On your command line
Sealed Secrets offers a powerful CLI tool (kubeseal) to one-way encrypt your Kubernetes Secret easily.
On your K8S cluster
The Sealed Secrets controller will decrypt any Sealed Secret into its equivalent Kubernetes Secret
On your code repository
Sealed Secrets are safe to store in your local code repository, along with the rest of your configuration.
SealedSecrets are a "write only" device. The idea is that the SealedSecret can be decrypted only by the controller running in the target cluster and nobody else (not even the original author) is able to obtain the original Secret from the SealedSecret.
Sealing key renewal
Sealing keys are automatically renewed every 30 days. Which means a new sealing key is created and appended to the set of active sealing keys the controller can use to unseal Sealed Secret resources.
Sealed Secrets Metrics
The Sealed Secrets Controller running in Kubernetes exposes Prometheus metrics. These metrics enable operators to observe how it is performing. For example how many SealedSecret unseals have been attempted and how many errors may have occured due to RBAC permissions, wrong key, corrupted data, etc.
Meet the Sealed Secrets team:
Sealed Secrets is released as open-source software and provides community support through our GitHub project page. If you encounter an issue or have a question, feel free to reach out on the GitHub issues page for Sealed Secrets.
The Sealed Secrets project team welcomes contributions from the community — please have a look at our contributing documentation.