Sealed Secrets Web is a web interface for Sealed Secrets by
Bitnami. The web interface let you encode, decode the keys in the data field of a secret, load existing Sealed Secrets
and create Sealed Secrets. Under the hood it uses Sealed Secrets service API to encrypt your secrets. The web interface
should be installed to your Kubernetes cluster, so your developers do not need access to
your cluster via kubectl.
- Encode: Base64 encodes each key in the
stringDatafield in a secret. - Decode: Base64 decodes each key in the
datafield in a secret. - Secrets: Returns a list of all Sealed Secrets in all namespaces. With a click on the Sealed Secret the decrypted Kubernetes secret is loaded.
- Seal: Encrypt a Kubernetes secret and creates the Sealed Secret.
- Validate: Validate a Sealed Secret.
Installation
sealed-secrets-web can be installed via our Helm chart:
helm repo add bakito https://charts.bakito.net
helm repo update
helm upgrade --install sealed-secrets-web bakito/sealed-secrets-webTo modify the settings for Sealed Secrets you can modify the arguments for the Docker image with the --set flag. For
example you can set a different controller-name during the installation with the following command:
helm upgrade --install sealed-secrets-web bakito/sealed-secrets-web \
--set sealedSecrets.namespace=sealed-secrets \
--set sealedSecrets.serviceName=sealed-secrets
or if you want to disable ability to load existing secrets, and use the tool purelly to seal new ones you can use:
helm upgrade --install sealed-secrets-web bakito/sealed-secrets-web \
--set disableLoadSecrets=trueTo render templates locally:
cd chart
helm template . -f values.yamlYou can check helm values available at https://github.com/bakito/sealed-secrets-web/blob/main/chart/values.yaml Also, check available application options at https://github.com/bakito/sealed-secrets-web/blob/main/pkg/config/types.go#L14-L22
Api Usage
Get current certificate
curl --request GET 'https://<SEALED_SECRETS_WEB_BASE_URL>/api/certificate'Seal a secret using servers certificate
having sealed secret as yaml output
curl --request POST 'https://<SEALED_SECRETS_WEB_BASE_URL>/api/kubeseal' \
--header 'Accept: application/x-yaml' \
--data-binary '@stringData.yaml'having sealed secret as json output
curl --request POST 'https://<SEALED_SECRETS_WEB_BASE_URL>/api/kubeseal' \
--header 'Accept: application/json' \
--data-binary '@stringData.yaml'sealing one value with default scope
curl -request POST 'https://<SEALED_SECRETS_WEB_BASE_URL>/api/raw' \
--header 'Content-Type: application/json' \
--data '{ "name": "mysecretname", "namespace": "mysecretnamespace", "value": "value to seal" }'Validate sealed secret
NOTE: Validate is only available when using cluster internal api (e.g. certURL not set) see bitnami-labs/sealed-secrets
curl --request POST 'https://<SEALED_SECRETS_WEB_BASE_URL>/api/validate' \
--header 'Accept: application/x-yaml' \
--data-binary '@stringData.yaml'Development
For development, we are using a local Kubernetes cluster using kind. When the cluster is created we install Sealed Secrets using Helm:
./run_local.shAccess the interface via http://localhost/ssw