Terraform Provider for Kubeseal (bitnami-labs/sealed-secrets)

Warning

This project is currently a work in progress and should not be considered stable

This provider is built on the Terraform Plugin Framework.

A Terraform provider for encrypting Kubernetes secrets into SealedSecrets using the sealed-secrets controller certificate. This allows you to safely store encrypted secret manifests in version control and apply them to your cluster.

This provider exposes:

A resource (kubeseal_sealed_secret) that encrypts secret key-value pairs and outputs a ready-to-apply SealedSecret manifest in JSON and YAML.
A data source (kubeseal_certificate) that fetches the public sealing certificate from the sealed-secrets controller.

Requirements

Terraform >= 1.0
Go >= 1.24
A running sealed-secrets controller in your Kubernetes cluster

Building The Provider

Clone the repository
Enter the repository directory
Build the provider using the Go install command:

go install

Using the Provider

Provider Configuration

terraform {
  required_providers {
    kubeseal = {
      source  = "registry.terraform.io/phaezer/kubeseal"
      version = "~> 0.1"
    }
  }
}

# Uses default kubeconfig at ~/.kube/config
provider "kubeseal" {
  controller_name      = "sealed-secrets-controller"
  controller_namespace = "kube-system"
}

The provider also supports explicit Kubernetes API server credentials:

provider "kubeseal" {
  kubernetes {
    host                   = "https://my-cluster.example.com"
    token                  = "my-bearer-token"
    cluster_ca_certificate = file("ca.crt")
  }
}

Encrypting a Secret

resource "kubeseal_sealed_secret" "example" {
  name      = "my-secret"
  namespace = "default"
  type      = "Opaque"
  scope     = "strict"

  secret_data = {
    username = "admin"
    password = "supersecret"
  }

  labels = {
    app = "my-app"
  }
}

output "sealed_secret_yaml" {
  value = kubeseal_sealed_secret.example.sealed_secret_yaml
}

output "sealed_secret_json" {
  value = kubeseal_sealed_secret.example.sealed_secret_json
}

The sealed_secret_yaml and sealed_secret_json outputs contain the full SealedSecret manifest, ready to be committed to version control or applied directly to your cluster with kubectl apply.

Fetching the Sealing Certificate

data "kubeseal_certificate" "main" {}

output "certificate" {
  value = data.kubeseal_certificate.main.certificate
}

Name		Name	Last commit message	Last commit date
Latest commit History 18 Commits
.github		.github
docs		docs
examples		examples
internal		internal
tools		tools
.gitignore		.gitignore
.golangci.yml		.golangci.yml
.goreleaser.yml		.goreleaser.yml
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
go.mod		go.mod
go.sum		go.sum
main.go		main.go
terraform-registry-manifest.json		terraform-registry-manifest.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Terraform Provider for Kubeseal (bitnami-labs/sealed-secrets)

Requirements

Building The Provider

Using the Provider

Provider Configuration

Encrypting a Secret

Fetching the Sealing Certificate

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

Terraform Provider for Kubeseal (bitnami-labs/sealed-secrets)

Requirements

Building The Provider

Using the Provider

Provider Configuration

Encrypting a Secret

Fetching the Sealing Certificate

About

Topics

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages