From 319d02f849a793c385353119a51c8f356b01adf1 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Thu, 12 Feb 2026 11:15:48 -0500
Subject: [PATCH] docs: remove marketing language and add Artifact Hub README

Removed marketing fluff:
- Replaced "Zero Trust Architecture" with factual "How It Works"
- Removed buzzwords and kept technical accuracy
- Simplified security explanation to be clear and honest

Added Artifact Hub README:
- Created README.md for v0.2.4 release directory
- Clean, professional documentation without marketing speak
- Focused on features, usage, and troubleshooting
- Will appear on Artifact Hub package page

Both READMEs now:
- Provide accurate technical information
- Avoid exaggerated claims
- Focus on what the plugin actually does
- Keep language straightforward and honest

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
---
 README.md                                     |  33 ++---
 .../0.2.4/README.md                           | 118 ++++++++++++++++++
 2 files changed, 130 insertions(+), 21 deletions(-)
 create mode 100644 headlamp-sealed-secrets-plugin/0.2.4/README.md

diff --git a/README.md b/README.md
index 0cbdcad..0f6edb0 100644
--- a/README.md
+++ b/README.md
@@ -165,28 +165,19 @@ echo -n "$DB_PASSWORD" | kubeseal \
 
 ## 🔒 Security
 
-### Zero Trust Architecture
 
-```
-┌─────────────────────────────────────────────┐
-│           User's Browser                     │
-│                                              │
-│  1. User enters plaintext: "mysecret"       │
-│  2. Plugin encrypts locally (RSA-OAEP)      │
-│  3. Sends ONLY encrypted data              │
-│                                              │
-│  ✅ Plaintext NEVER on network             │
-└─────────────────────────────────────────────┘
-         │
-         │ Only encrypted data
-         ▼
-┌─────────────────────────────────────────────┐
-│       Kubernetes Cluster                     │
-│                                              │
-│  4. Controller decrypts server-side         │
-│  5. Creates plain Secret in cluster         │
-└─────────────────────────────────────────────┘
-```
+### How It Works
+
+The plugin encrypts secrets client-side before sending them to Kubernetes:
+
+1. User enters plaintext values in the browser
+2. Plugin fetches controller's public certificate
+3. Values are encrypted using RSA-OAEP + AES-256-GCM
+4. Only encrypted data is sent to Kubernetes
+5. Controller decrypts and creates the Secret
+
+Plaintext values never leave your browser.
+
 
 ### Security Features
 
diff --git a/headlamp-sealed-secrets-plugin/0.2.4/README.md b/headlamp-sealed-secrets-plugin/0.2.4/README.md
new file mode 100644
index 0000000..8a7e6b2
--- /dev/null
+++ b/headlamp-sealed-secrets-plugin/0.2.4/README.md
@@ -0,0 +1,118 @@
+# Headlamp Sealed Secrets Plugin
+
+A [Headlamp](https://headlamp.dev) plugin for managing [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) in Kubernetes clusters.
+
+## Features
+
+- **Client-Side Encryption**: Encrypt secrets in your browser using the controller's public key
+- **Resource Management**: List, view, create, and manage SealedSecrets
+- **Key Management**: View sealing key pairs and download public certificates
+- **RBAC Integration**: UI adapts to user permissions
+- **Decryption Support**: View decrypted values (requires appropriate RBAC permissions)
+
+## Installation
+
+### Prerequisites
+
+1. Headlamp v0.13.0 or later
+2. Sealed Secrets controller installed on your cluster:
+   ```bash
+   kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
+   ```
+
+### Install Plugin
+
+The plugin can be installed directly from Artifact Hub through Headlamp's plugin manager, or manually:
+
+```bash
+# Download and extract
+curl -LO https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/download/v0.2.4/headlamp-sealed-secrets-0.2.4.tar.gz
+tar -xzf headlamp-sealed-secrets-0.2.4.tar.gz
+
+# Copy to plugins directory
+# macOS
+cp -r headlamp-sealed-secrets ~/Library/Application\ Support/Headlamp/plugins/
+
+# Linux
+cp -r headlamp-sealed-secrets ~/.config/Headlamp/plugins/
+
+# Restart Headlamp
+```
+
+## Usage
+
+### Creating a SealedSecret
+
+1. Navigate to **Sealed Secrets** in the sidebar
+2. Click **Create Sealed Secret**
+3. Fill in name, namespace, scope, and key-value pairs
+4. Click **Create**
+
+The plugin encrypts values client-side and applies the SealedSecret to the cluster. The controller creates the corresponding Kubernetes Secret.
+
+### Viewing and Managing
+
+- **List View**: Browse all SealedSecrets with filtering
+- **Detail View**: Inspect encrypted data and status
+- **Decrypt**: View plaintext values (requires RBAC permissions)
+- **Re-encrypt**: Rotate with current active key
+
+### Managing Keys
+
+Navigate to **Sealed Secrets** > **Sealing Keys** to:
+- View all sealing key pairs
+- Check certificate validity
+- Download public certificates for CLI use
+
+## Architecture
+
+The plugin implements the same encryption algorithm as `kubeseal`:
+
+1. Fetches the controller's public certificate via Kubernetes API
+2. Encrypts values using RSA-OAEP + AES-256-GCM
+3. Creates SealedSecret resources
+4. Controller decrypts and creates Secrets
+
+All encryption happens in the browser. Plaintext values never leave your machine.
+
+## Technical Details
+
+- **Language**: TypeScript with strict mode
+- **Crypto Library**: node-forge (RSA-OAEP + AES-256-GCM)
+- **Bundle Size**: 358.18 kB (98.04 kB gzipped)
+- **Test Coverage**: 92%
+- **License**: Apache-2.0
+
+## Troubleshooting
+
+### Controller not found
+```bash
+# Install controller
+kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
+
+# Verify running
+kubectl get pods -n kube-system -l name=sealed-secrets-controller
+```
+
+### Failed to fetch certificate
+- Check controller settings (name, namespace, port)
+- Verify controller is running and accessible
+
+### Decrypt fails
+- Ensure SealedSecret status shows "Synced"
+- Verify RBAC permissions: `kubectl auth can-i get secrets -n <namespace>`
+
+## Contributing
+
+Contributions welcome! See [GitHub repository](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin) for details.
+
+## Links
+
+- [GitHub Repository](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin)
+- [Issue Tracker](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/issues)
+- [Sealed Secrets Project](https://github.com/bitnami-labs/sealed-secrets)
+- [Headlamp](https://headlamp.dev)
+
+## License
+
+Apache License 2.0 - See [LICENSE](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/blob/main/headlamp-sealed-secrets/LICENSE) for details.