Sealed Secrets Web is a web interface for Sealed Secrets by
Bitnami. The web interface let you encode, decode the keys in the data field of a secret, load existing Sealed Secrets
and create Sealed Secrets. Under the hood it uses Sealed Secrets service API to encrypt your secrets. The web interface
should be installed to your Kubernetes cluster, so your developers do not need access to
your cluster via kubectl.
- Encode: Base64 encodes each key in the
stringDatafield in a secret. - Decode: Base64 decodes each key in the
datafield in a secret. - Secrets: Returns a list of all Sealed Secrets in all namespaces. With a click on the Sealed Secret the decrypted Kubernetes secret is loaded.
- Seal: Encrypt a Kubernetes secret and creates the Sealed Secret.
- Validate: Validate a Sealed Secret.
sealed-secrets-web can be installed via our Helm chart:
helm repo add bakito https://charts.bakito.net
helm repo update
helm upgrade --install sealed-secrets-web bakito/sealed-secrets-webTo modify the settings for Sealed Secrets you can modify the arguments for the Docker image with the --set flag. For
example you can set a different controller-name during the installation with the following command:
helm upgrade --install sealed-secrets-web bakito/sealed-secrets-web \
--set sealedSecrets.namespace=sealed-secrets \
--set sealedSecrets.serviceName=sealed-secrets
or if you want to disable ability to load existing secrets, and use the tool purelly to seal new ones you can use:
helm upgrade --install sealed-secrets-web bakito/sealed-secrets-web \
--set disableLoadSecrets=trueTo render templates locally:
cd chart
helm template . -f values.yamlYou can check helm values available at https://github.com/bakito/sealed-secrets-web/blob/main/chart/values.yaml Also, check available application options at https://github.com/bakito/sealed-secrets-web/blob/main/pkg/config/types.go#L14-L22
curl --request GET 'https://<SEALED_SECRETS_WEB_BASE_URL>/api/certificate'curl --request POST 'https://<SEALED_SECRETS_WEB_BASE_URL>/api/kubeseal' \
--header 'Accept: application/yaml' \
--data-binary '@stringData.yaml'curl --request POST 'https://<SEALED_SECRETS_WEB_BASE_URL>/api/kubeseal' \
--header 'Accept: application/json' \
--data-binary '@stringData.yaml'curl -request POST 'https://<SEALED_SECRETS_WEB_BASE_URL>/api/raw' \
--header 'Content-Type: application/json' \
--data '{ "name": "mysecretname", "namespace": "mysecretnamespace", "value": "value to seal" }'NOTE: Validate is only available when using cluster internal api (e.g. certURL not set) see bitnami-labs/sealed-secrets
curl --request POST 'https://<SEALED_SECRETS_WEB_BASE_URL>/api/validate' \
--header 'Accept: application/yaml' \
--data-binary '@stringData.yaml'For development, we are using a local Kubernetes cluster using kind. When the cluster is created we install Sealed Secrets using Helm:
./run_local.shAccess the interface via http://localhost/ssw
This section is about using sealed-secrets-web with Traefik ingress controller.
Traefik does not by default strip the path when forwarding to application. If you path is localhost/seal, then your route will be parsed by Traefik and your application will be accessed at /seal, not /.
To configure Traefik correctly, apply the following resource:
$ cat << EOF > traefik-strip-prefix-middleware.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: strip-prefix
namespace: kube-system # can be anything, but needs ingress.metadata.annotations spec: traefik.ingress.kubernetes.io/router.middlewares: namespace-strip-prefix@kubernetescrd
spec:
stripPrefixRegex:
regex:
- ^/[^/]+
EOF
$ kubectl apply -f traefik-strip-prefix-middleware.yamlNext, in your values.yaml, adapt the following to your host:
ingress:
enabled: true
className: traefik
hosts:
- host: your.host
paths:
- path: /seal
pathType: Prefix
annotations:
traefik.ingress.kubernetes.io/router.middlewares: kube-system-strip-prefix@kubernetescrd
sealedSecrets:
certURL: https://your.host/v1/cert.pem
webLogs: true
webContext: /seal