# Sealed Secrets (noble)

Encrypts `Secret` manifests so they can live in git; the controller decrypts **SealedSecret** resources into **Secret**s in-cluster.

- **Chart:** `sealed-secrets/sealed-secrets` **2.18.4** (app **0.36.1**)
- **Namespace:** `sealed-secrets`

## Install

```bash
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm repo update
kubectl apply -f clusters/noble/apps/sealed-secrets/namespace.yaml
helm upgrade --install sealed-secrets sealed-secrets/sealed-secrets -n sealed-secrets \
  --version 2.18.4 -f clusters/noble/apps/sealed-secrets/values.yaml --wait
```

## Workstation: `kubeseal`

Install a **kubeseal** build compatible with the controller (match **app** minor, e.g. **0.36.x** for **0.36.1**). Examples:

- **Homebrew:** `brew install kubeseal` (check `kubeseal --version` against the chart’s `image.tag` in `helm show values`).
- **GitHub releases:** [bitnami-labs/sealed-secrets](https://github.com/bitnami-labs/sealed-secrets/releases)

Fetch the cluster’s public seal cert (once per kube context):

```bash
kubeseal --fetch-cert > /tmp/noble-sealed-secrets.pem
```

Create a sealed secret from a normal secret manifest:

```bash
kubectl create secret generic example --from-literal=foo=bar --dry-run=client -o yaml \
  | kubeseal --cert /tmp/noble-sealed-secrets.pem -o yaml > example-sealedsecret.yaml
```

Commit `example-sealedsecret.yaml`; apply it with `kubectl apply -f`. The controller creates the **Secret** in the same namespace as the **SealedSecret**.

**Noble example:** `examples/kubeseal-newt-pangolin-auth.sh` (Newt / Pangolin tunnel credentials).

## Backup the sealing key

If the controller’s private key is lost, existing sealed files cannot be decrypted on a new cluster. Back up the key secret after install:

```bash
kubectl get secret -n sealed-secrets -l sealedsecrets.bitnami.com/sealed-secrets-key=active -o yaml > sealed-secrets-key-backup.yaml
```

Store `sealed-secrets-key-backup.yaml` in a safe offline location (not in public git).