into DevOps and Cloud Native

Secrets management in Kubernetes using Sealed Secrets:

Kubernetes has gained its popularity due to its core nature of running an immutable infrastructure, where the pods, containers can be destroyed, and replaced automatically. This helps to ease out the deployment friction as you declaratively describe the resources in a manifest file. 

Kubernetes manifest files can be stored in a source code repository like GitHub and the Kubernetes operations can be managed easily using the GitOps methodology. However, one of the biggest challenges in Kubernetes is the secure storage and rotation of credentials / secrets such us passwords, keys, and certificates. While Kubernetes offers basic secrets management capabilities, it doesn’t help secure secrets needed both inside and outside of Kubernetes.

Here we discuss one of the ways to address this issue using “sealed secret”:

Sealed Secrets:

When looking at optimising the infrastructure costs, enterprises consider various cost-management best practices, but Kubernetes require a specialised a

Sealed Secrets is a Kubernetes object, which helps to store the encrypted Kubernetes secrets in a version control.It consists 2 main components.

  1. Sealed Secret Controller (At Server Side)
  2. Kubeseal Utility (At Client Side)
  • First step is to use sealed secrets is, install the sealed secret controller in the target cluster using the sealed-secret-controller helm chart.

helm repo add sealed-secrets

helm repo update

helm install sealed-secrets-controller –namespace kube-system –version 2.13 sealed-secrets/sealed-secrets

  • Install the kubeseal client in our machine

wget -O /usr/local/bin/kubeseal

brew install kubeseal or yum install kubeseal

  • Create and encrypt the secrets using the kubeseal

kubectl create secret generic db-password -n test –from-file=dbpassword.txt –dry-run=client -o yaml | kubeseal -o yaml > db-password.yaml

The output of the above command is


kind: SealedSecret


  creationTimestamp: null

  name: secret-sql-password

  namespace: test



    DB_PASSWORD: GBbjeKXfPSjqlTpXSxJWwFWd1Ag/6T6RS1b6lylLPDfFy4Xvk0YS+Ou6rED1FxE1ShhziLE8a7am0fbiA2YuJMSCMLAqc2VYcU3p3LS0QKXdWKelao7h5kLwue7rEnCnuKLSZXHuU6DV/yCBYIcCCz88dBmzE8ga1TARLsFRrZmq2EWgU/ON57tIexCEAyztWreJi1Qnf0uJZE56Zg3x1Fj7MJ4Z06pcSSAwY2v0yZ8UNo1qzdmTfkOg0sMXdaFwF9Nga83MPeXfyKdfiH6kAW+LjUbpWi4JHEK7elZswRCBtU6caKt2sxfmue38UbQw8AXL5TmECqwttuKADWictIfWWhCYnyaO7DQm7+a2kfKUaUHZlw8X3vJtoiXAO/cEFJv2+X29gmwvX24gixgD6yrnxpA+GBbjeKXfPSjqlTpXSxJWwFWd1+H1Fb4FWVs6m1PxehsrHDbVTk8kGVXDzV1KK9EjF+CIxQPhGEQTUVq4qMmLAnPKw8HQYmh73v1K/a2kfKUaUHZlw8X3vJtoiXAO/cEFJv2+X29gm


    data: null


      creationTimestamp: null

      name: db-password

      namespace: test

In the above manifest file, we can see that our database password is encrypted. Only the sealed-secret-controller within the cluster can decrypt the value. Hence these can be safely stored in a version control.

TL Consulting

TLConsulting brings its consulting and engineering personnel to application modernisation adoption and implementation by providing range of services – as If you need assistance with your Containers/Kubernetes adoption, please contact us at our kubernetes consulting services  page.