home-server/clusters/noble/bootstrap/sealed-secrets/README.md

Sealed Secrets (noble)

Encrypts Secret manifests so they can live in git; the controller decrypts SealedSecret resources into Secrets in-cluster.

• Chart: sealed-secrets/sealed-secrets 2.18.4 (app 0.36.1)
• Namespace: sealed-secrets

Install

helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm repo update
kubectl apply -f clusters/noble/bootstrap/sealed-secrets/namespace.yaml
helm upgrade --install sealed-secrets sealed-secrets/sealed-secrets -n sealed-secrets \
  --version 2.18.4 -f clusters/noble/bootstrap/sealed-secrets/values.yaml --wait

Workstation: kubeseal

Install a kubeseal build compatible with the controller (match app minor, e.g. 0.36.x for 0.36.1). Examples:

• Homebrew: brew install kubeseal (check kubeseal --version against the chart’s image.tag in helm show values).
• GitHub releases: bitnami-labs/sealed-secrets

Fetch the cluster’s public seal cert (once per kube context):

kubeseal --fetch-cert > /tmp/noble-sealed-secrets.pem

Create a sealed secret from a normal secret manifest:

kubectl create secret generic example --from-literal=foo=bar --dry-run=client -o yaml \
  | kubeseal --cert /tmp/noble-sealed-secrets.pem -o yaml > example-sealedsecret.yaml

Commit example-sealedsecret.yaml; apply it with kubectl apply -f. The controller creates the Secret in the same namespace as the SealedSecret.

Noble example: examples/kubeseal-newt-pangolin-auth.sh (Newt / Pangolin tunnel credentials).

Backup the sealing key

If the controller’s private key is lost, existing sealed files cannot be decrypted on a new cluster. Back up the key secret after install:

kubectl get secret -n sealed-secrets -l sealedsecrets.bitnami.com/sealed-secrets-key=active -o yaml > sealed-secrets-key-backup.yaml

Store sealed-secrets-key-backup.yaml in a safe offline location (not in public git).