privilegedescalation/headlamp-sealed-secrets-plugin
12
0
Fork 0
Code Issues 2 Pull Requests 2 Actions Packages Projects Releases 27 Wiki Activity

docs: redirect Headlamp install namespace from kube-system to headlamp

Browse Source 
Updates install docs, READMEs, troubleshooting guides, and CI/CD tutorial
to reference Headlamp's own install namespace (headlamp) instead of
kube-system for where the Headlamp plugin/UI is installed.

Out-of-scope (left unchanged):
- Source code references to kube-system (controller workload location)
- Test files with kube-system in mock configs

Files changed:
- docs/getting-started/installation.md
- docs/getting-started/quick-start.md
- docs/troubleshooting/README.md
- docs/troubleshooting/common-errors.md
- docs/troubleshooting/controller-issues.md
- docs/troubleshooting/encryption-failures.md
- docs/troubleshooting/permission-errors.md
- docs/tutorials/ci-cd-integration.md
- docs/development/workflow.md

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Chris Farhood
2026-05-04 07:44:22 +00:00
committed by Gandalf the Greybeard [agent]
parent ecdee4a95a
commit 143b2c36e0
9 changed files with 118 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/development/workflow.md
+2 -2
View File
@@ -214,8 +214,8 @@ npm run package
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
# Verify installation
kubectl get deployment -n kube-system sealed-secrets-controller
kubectl get svc -n kube-system sealed-secrets-controller
kubectl get deployment -n headlamp sealed-secrets-controller
kubectl get svc -n headlamp sealed-secrets-controller
```
**Test Scenarios:**
docs/getting-started/installation.md
+3 -3
View File
@@ -208,13 +208,13 @@ headlamp --version # Should be >= v0.13.0
**Verify controller is running**:
```bash
kubectl get pods -n kube-system -l name=sealed-secrets-controller
kubectl get pods -n headlamp -l name=sealed-secrets-controller
# Should show: Running pod
```
**Check controller service**:
```bash
kubectl get svc -n kube-system sealed-secrets-controller
kubectl get svc -n headlamp sealed-secrets-controller
# Should exist with ClusterIP
```
@@ -231,7 +231,7 @@ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/downloa
kubectl get sealedsecrets --all-namespaces
# Can you get the service?
kubectl get svc -n kube-system sealed-secrets-controller
kubectl get svc -n headlamp sealed-secrets-controller
```
**Verify CRD exists**:
docs/getting-started/quick-start.md
+2 -2
View File
@@ -162,7 +162,7 @@ For CI/CD or offline encryption:
**Check controller status**:
```bash
kubectl get pods -n kube-system -l name=sealed-secrets-controller
kubectl get pods -n headlamp -l name=sealed-secrets-controller
```
**If not running**, install it:
@@ -197,7 +197,7 @@ rules:
2. **Verify controller connectivity**:
```bash
kubectl get svc -n kube-system sealed-secrets-controller
kubectl get svc -n headlamp sealed-secrets-controller
```
3. **Check browser console**:
docs/troubleshooting/README.md
+5 -5
View File
@@ -38,10 +38,10 @@ headlamp --version # Should be v0.13.0+
**Quick Checks**:
```bash
# Check controller is running
kubectl get pods -n kube-system -l name=sealed-secrets-controller
kubectl get pods -n headlamp -l name=sealed-secrets-controller
# Check service exists
kubectl get svc -n kube-system sealed-secrets-controller
kubectl get svc -n headlamp sealed-secrets-controller
```
**Solution**: See [Controller Issues](controller-issues.md)
@@ -71,7 +71,7 @@ kubectl auth can-i get secrets
**Quick Checks**:
```bash
# Check certificate is valid
kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -dates
kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -dates
```
**Solution**: See [Encryption Failures](encryption-failures.md)
@@ -89,7 +89,7 @@ If you can't find a solution:
tail -f ~/Library/Logs/Headlamp/main.log
# Controller logs
kubectl logs -n kube-system -l name=sealed-secrets-controller
kubectl logs -n headlamp -l name=sealed-secrets-controller
```
2. **Enable browser console**:
@@ -111,7 +111,7 @@ When reporting an issue, include:
- **Plugin version**: Check Settings page or `package.json`
- **Headlamp version**: `headlamp --version`
- **Kubernetes version**: `kubectl version --short`
- **Controller version**: `kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'`
- **Controller version**: `kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'`
- **Error messages**: Full error text from UI or console
- **Browser console logs**: Copy from Developer Tools
- **Steps to reproduce**: What you did before the error
docs/troubleshooting/common-errors.md
+19 -19
View File
@@ -65,7 +65,7 @@ brew upgrade headlamp
**Full Error**:
```
Failed to fetch certificate: Service 'sealed-secrets-controller' not found in namespace 'kube-system'
Failed to fetch certificate: Service 'sealed-secrets-controller' not found in namespace 'headlamp'
```
**Cause**: Sealed Secrets controller not installed
@@ -76,10 +76,10 @@ Failed to fetch certificate: Service 'sealed-secrets-controller' not found in na
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
# Wait for controller to be ready
kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s
kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
# Verify
kubectl get pods -n kube-system -l name=sealed-secrets-controller
kubectl get pods -n headlamp -l name=sealed-secrets-controller
```
---
@@ -96,13 +96,13 @@ Health check failed: Connection timeout after 3 attempts
**Diagnosis**:
```bash
# 1. Check controller is running
kubectl get pods -n kube-system -l name=sealed-secrets-controller
kubectl get pods -n headlamp -l name=sealed-secrets-controller
# 2. Check logs
kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=50
kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=50
# 3. Test direct connection
kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080
kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
# In another terminal:
curl http://localhost:8080/v1/cert.pem
```
@@ -111,14 +111,14 @@ curl http://localhost:8080/v1/cert.pem
**If pod is not running**:
```bash
kubectl describe pod -n kube-system -l name=sealed-secrets-controller
kubectl describe pod -n headlamp -l name=sealed-secrets-controller
```
Look for image pull errors, resource constraints, or CrashLoopBackOff.
**If pod is running but not responding**:
```bash
# Restart the controller
kubectl rollout restart deployment -n kube-system sealed-secrets-controller
kubectl rollout restart deployment -n headlamp sealed-secrets-controller
```
---
@@ -138,12 +138,12 @@ Warning: Controller version v0.18.0 detected. Plugin tested with v0.24.0+
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
# Verify upgrade
kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
```
**Warning**: Backup sealing keys before upgrading:
```bash
kubectl get secret -n kube-system sealed-secrets-key -o yaml > sealed-secrets-key-backup.yaml
kubectl get secret -n headlamp sealed-secrets-key -o yaml > sealed-secrets-key-backup.yaml
```
---
@@ -162,14 +162,14 @@ Encryption failed: Invalid public key format
**Diagnosis**:
```bash
# Fetch and validate certificate
kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
openssl x509 -in cert.pem -noout -text
```
**Solution**:
If certificate is invalid, the controller may be corrupted. Restart it:
```bash
kubectl rollout restart deployment -n kube-system sealed-secrets-controller
kubectl rollout restart deployment -n headlamp sealed-secrets-controller
```
---
@@ -188,7 +188,7 @@ Encryption failed: Certificate expired on 2025-01-15
**Option 1: Use existing valid certificate** (if you have multiple keys):
```bash
# List all certificates
kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key
kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
# Plugin will automatically use the newest valid certificate
```
@@ -196,11 +196,11 @@ kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-k
**Option 2: Rotate sealing keys**:
```bash
# Generate new key (requires cluster-admin)
kubectl delete secret -n kube-system sealed-secrets-key
kubectl rollout restart deployment -n kube-system sealed-secrets-controller
kubectl delete secret -n headlamp sealed-secrets-key
kubectl rollout restart deployment -n headlamp sealed-secrets-controller
# Wait for new key generation
kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s
kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
```
**Warning**: After key rotation, existing SealedSecrets remain valid but cannot be modified. See [Secret Rotation Tutorial](../tutorials/secret-rotation.md).
@@ -493,10 +493,10 @@ Failed to fetch certificate: Connection timeout after 30000ms
kubectl cluster-info
# Test service connectivity
kubectl get svc -n kube-system sealed-secrets-controller
kubectl get svc -n headlamp sealed-secrets-controller
# Port-forward and test manually
kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080
kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
curl http://localhost:8080/v1/cert.pem
```
@@ -534,7 +534,7 @@ If your error isn't listed:
2. **Check Controller Logs**:
```bash
kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=100
kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=100
```
3. **Enable Debug Logging** (browser console):
docs/troubleshooting/controller-issues.md
+56 -56
View File
@@ -23,13 +23,13 @@ Plugin shows "Controller not found" or health status is unhealthy.
```bash
# Check if controller exists
kubectl get deployment -n kube-system sealed-secrets-controller
kubectl get deployment -n headlamp sealed-secrets-controller
# Check service
kubectl get svc -n kube-system sealed-secrets-controller
kubectl get svc -n headlamp sealed-secrets-controller
# Check pods
kubectl get pods -n kube-system -l name=sealed-secrets-controller
kubectl get pods -n headlamp -l name=sealed-secrets-controller
```
### Solutions
@@ -43,10 +43,10 @@ Install the controller:
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
# Wait for deployment
kubectl wait --for=condition=available deployment/sealed-secrets-controller -n kube-system --timeout=60s
kubectl wait --for=condition=available deployment/sealed-secrets-controller -n headlamp --timeout=60s
# Verify
kubectl get pods -n kube-system -l name=sealed-secrets-controller
kubectl get pods -n headlamp -l name=sealed-secrets-controller
```
#### Wrong Namespace
@@ -85,13 +85,13 @@ Controller pod shows `Pending`, `ContainerCreating`, or `ImagePullBackOff`.
```bash
# Check pod status
kubectl get pods -n kube-system -l name=sealed-secrets-controller
kubectl get pods -n headlamp -l name=sealed-secrets-controller
# Get detailed status
kubectl describe pod -n kube-system -l name=sealed-secrets-controller
kubectl describe pod -n headlamp -l name=sealed-secrets-controller
# Check events
kubectl get events -n kube-system --sort-by='.lastTimestamp' | grep sealed-secrets
kubectl get events -n headlamp --sort-by='.lastTimestamp' | grep sealed-secrets
```
### Common Causes
@@ -102,7 +102,7 @@ kubectl get events -n kube-system --sort-by='.lastTimestamp' | grep sealed-secre
**Check**:
```bash
kubectl describe pod -n kube-system -l name=sealed-secrets-controller | grep -A 5 "Events:"
kubectl describe pod -n headlamp -l name=sealed-secrets-controller | grep -A 5 "Events:"
```
**Solutions**:
@@ -114,17 +114,17 @@ kubectl create secret docker-registry regcred \
--docker-server=<registry> \
--docker-username=<username> \
--docker-password=<password> \
-n kube-system
-n headlamp
# Update deployment
kubectl patch deployment sealed-secrets-controller -n kube-system -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name":"regcred"}]}}}}'
kubectl patch deployment sealed-secrets-controller -n headlamp -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name":"regcred"}]}}}}'
```
**Network issues**: Check cluster can reach `quay.io` or your registry.
**Wrong image tag**: Verify image exists:
```bash
kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
```
#### Insufficient Resources
@@ -133,13 +133,13 @@ kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.s
**Check**:
```bash
kubectl describe pod -n kube-system -l name=sealed-secrets-controller | grep -A 5 "FailedScheduling"
kubectl describe pod -n headlamp -l name=sealed-secrets-controller | grep -A 5 "FailedScheduling"
```
**Solution**: Lower resource requests or add nodes:
```bash
# Lower requests (not recommended for production)
kubectl patch deployment sealed-secrets-controller -n kube-system -p '
kubectl patch deployment sealed-secrets-controller -n headlamp -p '
{
"spec": {
"template": {
@@ -165,7 +165,7 @@ kubectl patch deployment sealed-secrets-controller -n kube-system -p '
**Check**:
```bash
kubectl get pvc -n kube-system
kubectl get pvc -n headlamp
```
**Solution**: Ensure StorageClass exists and volumes are available.
@@ -182,13 +182,13 @@ Controller pod shows `CrashLoopBackOff` or restarts frequently.
```bash
# Check restart count
kubectl get pods -n kube-system -l name=sealed-secrets-controller
kubectl get pods -n headlamp -l name=sealed-secrets-controller
# View recent logs
kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=100
kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=100
# View previous crash logs
kubectl logs -n kube-system -l name=sealed-secrets-controller --previous
kubectl logs -n headlamp -l name=sealed-secrets-controller --previous
```
### Common Causes
@@ -203,16 +203,16 @@ Error loading sealed secrets key: invalid PEM data
**Solution**:
```bash
# Backup existing key (if valid)
kubectl get secret -n kube-system sealed-secrets-key -o yaml > backup.yaml
kubectl get secret -n headlamp sealed-secrets-key -o yaml > backup.yaml
# Delete corrupted key
kubectl delete secret -n kube-system sealed-secrets-key
kubectl delete secret -n headlamp sealed-secrets-key
# Restart controller to generate new key
kubectl rollout restart deployment -n kube-system sealed-secrets-controller
kubectl rollout restart deployment -n headlamp sealed-secrets-controller
# Wait for new key
kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s
kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
```
**Warning**: This generates a new key. Existing SealedSecrets will still work but cannot be modified.
@@ -227,10 +227,10 @@ Multiple certificates found, unable to determine active key
**Solution**:
```bash
# List all sealing keys
kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key
kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
# Remove old keys (keep backup!)
kubectl delete secret -n kube-system <old-key-name>
kubectl delete secret -n headlamp <old-key-name>
```
#### Memory Issues
@@ -242,12 +242,12 @@ OOMKilled
**Check**:
```bash
kubectl describe pod -n kube-system -l name=sealed-secrets-controller | grep -A 5 "Last State"
kubectl describe pod -n headlamp -l name=sealed-secrets-controller | grep -A 5 "Last State"
```
**Solution**: Increase memory limits:
```bash
kubectl patch deployment sealed-secrets-controller -n kube-system -p '
kubectl patch deployment sealed-secrets-controller -n headlamp -p '
{
"spec": {
"template": {
@@ -298,7 +298,7 @@ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/downloa
**Check**:
```bash
# Get certificate expiry
kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | \
kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | \
base64 -d | \
openssl x509 -noout -enddate
```
@@ -307,12 +307,12 @@ kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.cr
```bash
# Generate new key (keeps old for decryption)
kubectl annotate secret -n kube-system sealed-secrets-key \
kubectl annotate secret -n headlamp sealed-secrets-key \
sealedsecrets.bitnami.com/sealed-secrets-key-rotation=rotate
# Or delete and recreate
kubectl delete secret -n kube-system sealed-secrets-key
kubectl rollout restart deployment -n kube-system sealed-secrets-controller
kubectl delete secret -n headlamp sealed-secrets-key
kubectl rollout restart deployment -n headlamp sealed-secrets-controller
```
### Multiple Certificates
@@ -322,10 +322,10 @@ kubectl rollout restart deployment -n kube-system sealed-secrets-controller
**Check**:
```bash
# List all certificates
kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key
kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
# View details
kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml
kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml
```
**Solution**: Controller uses newest valid certificate. This is normal after key rotation.
@@ -333,7 +333,7 @@ kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-k
To clean up old keys (after backup):
```bash
# Keep newest 2 keys, delete older ones
kubectl delete secret -n kube-system <old-key-name>
kubectl delete secret -n headlamp <old-key-name>
```
### Certificate Not Found
@@ -342,13 +342,13 @@ kubectl delete secret -n kube-system <old-key-name>
**Check**:
```bash
kubectl get secret -n kube-system sealed-secrets-key
kubectl get secret -n headlamp sealed-secrets-key
```
**Solution**: Restart controller to generate:
```bash
kubectl rollout restart deployment -n kube-system sealed-secrets-controller
kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s
kubectl rollout restart deployment -n headlamp sealed-secrets-controller
kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
```
---
@@ -362,10 +362,10 @@ kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-con
**Diagnosis**:
```bash
# Check controller CPU/memory usage
kubectl top pod -n kube-system -l name=sealed-secrets-controller
kubectl top pod -n headlamp -l name=sealed-secrets-controller
# Check events
kubectl get events -n kube-system --sort-by='.lastTimestamp' | grep sealed-secrets
kubectl get events -n headlamp --sort-by='.lastTimestamp' | grep sealed-secrets
```
**Solutions**:
@@ -373,7 +373,7 @@ kubectl get events -n kube-system --sort-by='.lastTimestamp' | grep sealed-secre
#### Increase Resources
```bash
kubectl patch deployment sealed-secrets-controller -n kube-system -p '
kubectl patch deployment sealed-secrets-controller -n headlamp -p '
{
"spec": {
"template": {
@@ -401,7 +401,7 @@ kubectl patch deployment sealed-secrets-controller -n kube-system -p '
```bash
# Get node
kubectl get pod -n kube-system -l name=sealed-secrets-controller -o wide
kubectl get pod -n headlamp -l name=sealed-secrets-controller -o wide
# Check node load
kubectl top node <node-name>
@@ -429,22 +429,22 @@ Consider node affinity if node is overloaded.
**Diagnosis**:
```bash
# Check deployment history
kubectl rollout history deployment -n kube-system sealed-secrets-controller
kubectl rollout history deployment -n headlamp sealed-secrets-controller
# Check current image
kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
```
**Solution**: Rollback and retry:
```bash
# Rollback to previous version
kubectl rollout undo deployment -n kube-system sealed-secrets-controller
kubectl rollout undo deployment -n headlamp sealed-secrets-controller
# Wait for rollback
kubectl rollout status deployment -n kube-system sealed-secrets-controller
kubectl rollout status deployment -n headlamp sealed-secrets-controller
# Check logs
kubectl logs -n kube-system -l name=sealed-secrets-controller
kubectl logs -n headlamp -l name=sealed-secrets-controller
```
### Version Compatibility
@@ -460,13 +460,13 @@ kubectl logs -n kube-system -l name=sealed-secrets-controller
**Upgrade controller**:
```bash
# Backup sealing keys first!
kubectl get secret -n kube-system sealed-secrets-key -o yaml > sealed-secrets-backup.yaml
kubectl get secret -n headlamp sealed-secrets-key -o yaml > sealed-secrets-backup.yaml
# Upgrade
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
# Verify
kubectl rollout status deployment -n kube-system sealed-secrets-controller
kubectl rollout status deployment -n headlamp sealed-secrets-controller
```
### Lost Sealing Keys After Upgrade
@@ -483,7 +483,7 @@ If you have backup:
kubectl apply -f sealed-secrets-backup.yaml
# Restart controller
kubectl rollout restart deployment -n kube-system sealed-secrets-controller
kubectl rollout restart deployment -n headlamp sealed-secrets-controller
```
If no backup, keys are **permanently lost**. You must:
@@ -499,7 +499,7 @@ If no backup, keys are **permanently lost**. You must:
```bash
# Add debug flag to controller
kubectl patch deployment sealed-secrets-controller -n kube-system -p '
kubectl patch deployment sealed-secrets-controller -n headlamp -p '
{
"spec": {
"template": {
@@ -514,14 +514,14 @@ kubectl patch deployment sealed-secrets-controller -n kube-system -p '
}'
# View debug logs
kubectl logs -n kube-system -l name=sealed-secrets-controller -f
kubectl logs -n headlamp -l name=sealed-secrets-controller -f
```
### Port-Forward for Testing
```bash
# Forward controller port locally
kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080
kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
# Test certificate endpoint
curl http://localhost:8080/v1/cert.pem
@@ -536,7 +536,7 @@ If Prometheus is installed:
```bash
# Enable metrics
kubectl patch deployment sealed-secrets-controller -n kube-system -p '
kubectl patch deployment sealed-secrets-controller -n headlamp -p '
{
"spec": {
"template": {
@@ -551,7 +551,7 @@ kubectl patch deployment sealed-secrets-controller -n kube-system -p '
}'
# Access metrics
kubectl port-forward -n kube-system service/sealed-secrets-controller 8081:8081
kubectl port-forward -n headlamp service/sealed-secrets-controller 8081:8081
curl http://localhost:8081/metrics
```
@@ -564,9 +564,9 @@ If issues persist:
1. **Gather diagnostic info**:
```bash
# Create diagnostic bundle
kubectl get all -n kube-system -l name=sealed-secrets-controller -o yaml > controller-diagnostics.yaml
kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=500 > controller-logs.txt
kubectl describe deployment -n kube-system sealed-secrets-controller > controller-describe.txt
kubectl get all -n headlamp -l name=sealed-secrets-controller -o yaml > controller-diagnostics.yaml
kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=500 > controller-logs.txt
kubectl describe deployment -n headlamp sealed-secrets-controller > controller-describe.txt
```
2. **Check Sealed Secrets project**:
docs/troubleshooting/encryption-failures.md
+24 -24
View File
@@ -19,7 +19,7 @@ Before troubleshooting, understand how encryption works:
```
1. Plugin fetches public certificate from controller
GET /api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem
GET /api/v1/namespaces/headlamp/services/sealed-secrets-controller:http/proxy/v1/cert.pem
2. Plugin validates certificate (PEM format, expiry, fingerprint)
@@ -55,10 +55,10 @@ Failed to fetch certificate: Network error
```bash
# 1. Check controller is running
kubectl get pods -n kube-system -l name=sealed-secrets-controller
kubectl get pods -n headlamp -l name=sealed-secrets-controller
# 2. Test certificate endpoint directly
kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080
kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
# In another terminal:
curl http://localhost:8080/v1/cert.pem
```
@@ -70,16 +70,16 @@ curl http://localhost:8080/v1/cert.pem
**Certificate endpoint not responding**:
```bash
# Check controller logs
kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=50
kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=50
# Restart controller
kubectl rollout restart deployment -n kube-system sealed-secrets-controller
kubectl rollout restart deployment -n headlamp sealed-secrets-controller
```
**RBAC permission denied**:
```bash
# Check service access permission
kubectl auth can-i get services/sealed-secrets-controller -n kube-system
kubectl auth can-i get services/sealed-secrets-controller -n headlamp
# If no, apply RBAC (requires cluster-admin):
kubectl apply -f - <<EOF
@@ -121,7 +121,7 @@ Encryption failed: Certificate expired on 2025-01-15T10:30:00Z
```bash
# Check certificate expiry
kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | \
kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | \
base64 -d | \
openssl x509 -noout -dates
@@ -136,19 +136,19 @@ Rotate sealing keys (see [Secret Rotation Tutorial](../tutorials/secret-rotation
```bash
# Option 1: Delete old key (generates new automatically)
kubectl delete secret -n kube-system sealed-secrets-key
kubectl rollout restart deployment -n kube-system sealed-secrets-controller
kubectl delete secret -n headlamp sealed-secrets-key
kubectl rollout restart deployment -n headlamp sealed-secrets-controller
# Option 2: Annotate for rotation (keeps old for decryption)
kubectl annotate secret -n kube-system sealed-secrets-key \
kubectl annotate secret -n headlamp sealed-secrets-key \
sealedsecrets.bitnami.com/sealed-secrets-key-rotation=rotate
kubectl rollout restart deployment -n kube-system sealed-secrets-controller
kubectl rollout restart deployment -n headlamp sealed-secrets-controller
# Wait for new key
kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s
kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
# Verify new certificate
kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key
kubectl get secret -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
```
**Warning**: After key rotation:
@@ -168,7 +168,7 @@ Encryption failed: Certificate is not valid PEM format
```bash
# Fetch and validate certificate
kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
# Should start with:
# -----BEGIN CERTIFICATE-----
@@ -183,14 +183,14 @@ cat cert.pem
**Corrupted certificate**:
```bash
# Regenerate certificate
kubectl delete secret -n kube-system sealed-secrets-key
kubectl rollout restart deployment -n kube-system sealed-secrets-controller
kubectl delete secret -n headlamp sealed-secrets-key
kubectl rollout restart deployment -n headlamp sealed-secrets-controller
```
**Wrong secret**: Ensure you're using correct secret:
```bash
# List all sealing keys
kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key
kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
# Should show sealed-secrets-key
```
@@ -213,7 +213,7 @@ Plan key rotation before expiry:
1. **Schedule maintenance window**
2. **Backup existing keys**:
```bash
kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > sealing-keys-backup.yaml
kubectl get secret -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > sealing-keys-backup.yaml
```
3. **Rotate keys**: See [Secret Rotation Tutorial](../tutorials/secret-rotation.md)
4. **Recreate SealedSecrets** if needed
@@ -485,10 +485,10 @@ Failed to fetch certificate: Request timeout after 30000ms
kubectl cluster-info
# Test service endpoint
kubectl get svc -n kube-system sealed-secrets-controller
kubectl get svc -n headlamp sealed-secrets-controller
# Test with curl
kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080
kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
curl -m 5 http://localhost:8080/v1/cert.pem
```
@@ -550,7 +550,7 @@ Test encryption manually:
```javascript
// In browser console
const cert = await fetch('/api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem')
const cert = await fetch('/api/v1/namespaces/headlamp/services/sealed-secrets-controller:http/proxy/v1/cert.pem')
.then(r => r.text());
console.log('Certificate:', cert);
@@ -587,7 +587,7 @@ sudo install -m 755 kubeseal /usr/local/bin/kubeseal
# Test encryption
echo -n mysecretvalue | kubeseal \
--controller-namespace=kube-system \
--controller-namespace=headlamp \
--controller-name=sealed-secrets-controller \
--format=yaml \
--name=my-secret \
@@ -621,10 +621,10 @@ If encryption still fails:
1. **Gather diagnostics**:
```bash
# Controller version
kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
# Certificate validity
kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text
kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text
# Plugin version (in Headlamp UI)
Settings → Sealed Secrets → About
docs/troubleshooting/permission-errors.md
+4 -4
View File
@@ -202,11 +202,11 @@ Missing service access permission.
```bash
# Check service access
kubectl auth can-i get services -n kube-system
kubectl auth can-i get services/sealed-secrets-controller -n kube-system
kubectl auth can-i get services -n headlamp
kubectl auth can-i get services/sealed-secrets-controller -n headlamp
# Check proxy access
kubectl auth can-i get services/proxy -n kube-system
kubectl auth can-i get services/proxy -n headlamp
```
#### Solution
@@ -563,7 +563,7 @@ TOKEN=$(kubectl create token sealed-secrets-ci -n ci-cd)
# Use with kubeseal
echo -n mysecret | kubeseal \
--controller-namespace=kube-system \
--controller-namespace=headlamp \
--token="$TOKEN" \
--format=yaml
```
docs/tutorials/ci-cd-integration.md
+3 -3
View File
@@ -33,7 +33,7 @@ The sealing certificate is the public key used to encrypt secrets. You can downl
Alternatively, fetch it directly from the controller:
```bash
kubectl get secret -n kube-system \
kubectl get secret -n headlamp \
-l sealedsecrets.bitnami.com/sealed-secrets-key=active \
-o jsonpath='{.items[0].data.tls\.crt}' | base64 -d > sealed-secrets-cert.pem
```
@@ -41,7 +41,7 @@ kubectl get secret -n kube-system \
Or use the controller's certificate endpoint:
```bash
curl http://sealed-secrets-controller.kube-system:8080/v1/cert.pem > sealed-secrets-cert.pem
curl http://sealed-secrets-controller.headlamp:8080/v1/cert.pem > sealed-secrets-cert.pem
```
## Step 2: Install kubeseal CLI
@@ -107,7 +107,7 @@ jobs:
echo "${{ secrets.SEALED_SECRETS_CERT }}" > sealed-secrets-cert.pem
# Option 2: From cluster (requires kubectl access)
# kubectl get secret -n kube-system \
# kubectl get secret -n headlamp \
# -l sealedsecrets.bitnami.com/sealed-secrets-key=active \
# -o jsonpath='{.items[0].data.tls\.crt}' | base64 -d > sealed-secrets-cert.pem