Sealed Secrets

Bitnami Sealed Secrets lets you store encrypted secrets safely in Git. This chart supports Sealed Secrets as a first-class feature — no extra configuration is needed beyond installing the controller in the cluster.

Environment variables

Use sealedSecrets to declare encrypted values that are auto-mounted as environment variables in every container (same as secrets):

yaml

sealedSecrets:
  DATABASE_PASSWORD: AgBy3i4OJSWK...  # kubeseal --raw output
  API_KEY: AgCAt8kDe2nJ...

Seal a value with:

shell

echo -n 'mysecret' | kubeseal --raw --from-file=/dev/stdin --namespace mynamespace --name myapp

Mounted files

Use mountedSealedSecretFiles to mount encrypted files into containers (same as mountedSecretFiles, defaults to /secrets/):

yaml

mountedSealedSecretFiles:
  serviceaccount.json: AgBy3i4OJSWK...  # mounted at /secrets/serviceaccount.json
  /etc/app/config.json: AgCAt8kDe2nJ... # mounted at absolute path

Scope

Both resources are created with sealedsecrets.bitnami.com/cluster-wide: "true". For namespace-scoped sealing, seal with --scope namespace-wide and set the annotation accordingly in your values using extraManifests.

Sealed Secrets ​

Environment variables ​

Mounted files ​

Scope ​

Sealed Secrets

Environment variables

Mounted files

Scope