This is a must-know skill for DevOps, GitOps, ArgoCD, Flux, and secure CI/CD workflows.
You will learn to:
β
Install Sealed Secrets controller
β
Create a Kubernetes Secret
β
Encrypt it into a SealedSecret (safe to commit to Git)
β
Apply the encrypted object
β
Verify the controller decrypts it back into a real Secret
Sealed Secrets = Git-safe encrypted secrets.
β οΈ Requirements
This scenario requires:
- Any Kubernetes cluster (GKE, EKS, AKS, Minikube)
- Access to install CRDs (cluster-admin recommended)
β Step 1 β Install the Sealed Secrets Controller (on Cluster)
Install using Helm (recommended):
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets helm install sealed-secrets-controller sealed-secrets/sealed-secrets \ --namespace kube-system Verify:
kubectl -n kube-system get pods | grep sealed-secrets You should see:
sealed-secrets-controller-xxxxx Running 
β Step 2 β Install kubeseal CLI (local machine / Cloud Shell)
For Cloud Shell or Linux:
curl -L -O https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.32.2/kubeseal-0.32.2-linux-amd64.tar.gz tar -xzvf kubeseal-0.32.2-linux-amd64.tar.gz kubeseal sudo install -m 755 kubeseal /usr/local/bin/kubeseal Verify:
kubeseal --version 
β Step 3 β Create a Secret (DO NOT APPLY)
Create a file:
#mysecret.yaml apiVersion: v1 kind: Secret metadata: name: db-credentials namespace: default type: Opaque data: username: YWRtaW4= password: U2VjdXJlMTIzIQ== This YAML contains sensitive base64 values β NEVER commit this.
Now we will encrypt it.
β Step 4 β Encrypt Secret into SealedSecret
Run:
kubeseal --controller-namespace kube-system --format yaml \ < mysecret.yaml > mysealedsecret.yaml Check output:
cat mysealedsecret.yaml You will see something like:
apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: name: db-credentials namespace: default spec: encryptedData: password: AgDY72jkLJ8z... username: AgJ80QKlhxn... β Safe to store in Git
β Only decryptable by the controller running in your cluster
!3](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/mznguimzz4132dcpc76l.png)
β Step 5 β Apply the SealedSecret
kubectl apply -f mysealedsecret.yaml The controller will automatically:
- Decrypt the sealed data
- Create the real Kubernetes Secret
Verify:
kubectl get secret db-credentials You will see:
db-credentials Opaque 2 5s 
β Step 6 β Check Decrypted Secret Values
Run:
kubectl get secret db-credentials -o jsonpath='{.data.username}' | base64 -d Output:
admin Check password:
kubectl get secret db-credentials -o jsonpath='{.data.password}' | base64 -d Output:
Secure123! β Decrypted successfully
β Exactly what you defined
β But the secret in Git is encrypted
π Thanks for reading! If this post added value, a like β€οΈ, follow, or share would encourage me to keep creating more content.
β Latchu | Senior DevOps & Cloud Engineer
βοΈ AWS | GCP | βΈοΈ Kubernetes | π Security | β‘ Automation
π Sharing hands-on guides, best practices & real-world cloud solutions
Top comments (0)