A simple web-gui for Bitnami's sealed-secrets, based on the awesome nicegui Python UI framework.

• Encrypt multiple secrets all at once.
• Supports encrypting for multiple clusters with different encryption keys. See example config.
• Choose sealing-scope: strict, namespace-wide, cluster-wide
  • cluster-wide scope is potentially dangerous and can be disabled in config.yaml
• Fetches encryption key via http/s from the sealed-secrets controller URL
• Generates the encrypted string + the complete sealed-secrets manifest
• Copy buttons for easy copy & paste of encrypted strings.
• Configurable settings and cluster URLs in config.yaml
• Supports multi-line secrets (eg. PEM files)
• Secret types that can be created:
  • generic
  • dockerconfigjson
  • tls

The actual secret encryption process is done on the server-side using the kubeseal binary, so be sure to use a secure connection to access this web-app!

As we use kubeseal --cert <URL> ... for secret encryption internally, the host serving this web-app is the only one requiring http/s access to the sealedsecrets controller web-url, to retrieve the public encryption key.

• Update these ENV vars in .env:

  RELEASE_IMAGE=ghcr.io/alpium-it/kubeseal-web
  RELEASE_TAG=v1.1.3
  

• Build the image and push to your registry, eg:

  docker compose build --push
  

• Sealed-Secrets controller installed in your cluster ;-) => Install Sealed-Secrets

• Enable the ingress, thus exposing your sealed-secrets controller public encryption-key via URL! This can easily be done during installation of Bitnami's Sealed-Secrets Helm chart:

  ...
  values:
    ingress:
      enabled: true  # default: false
      hostname: "cert.sealedsecrets.east.example.com"
      # optional: Default path for the ingress record
      # path: /v1/cert.pem
  

• See folder k8s. Uses kustomize. Modify/create overlay if required.
• Deploys to namespace sealed-secrets by default!
• Optionally edit newName & newTag in file kustomization.yaml
• Run kustomize build k8s/env/demo | kubectl apply -f -

# clusters dictionary
#
# CLUSTERNAME:
#    url: <URL OF SEALED-SECRETS ROUTE>
#    namespacePrefix: "dev-"  # will be prepended to the namespace's name
#    enabled: true | false    # set the cluste's checkbox to checked or unchecked initially

defaults:
  enable-cluster-wide-encryption: true
  max-secrets: 5

clusters:
  east:
    url: http://cert.sealedsecrets.east.example.com/v1/cert.pem
    namespacePrefix: east-
    enabled: true

  west:
    url: http://cert.sealedsecrets.west.example.com/v1/cert.pem
    enabled: false
    namespacePrefix: west-

  global:
    url: http://cert.sealedsecrets.global.example.com/v1/cert.pem
    enabled: false