Chris Farhood
0199c8c330
Updated all documentation to reflect current state: Version Updates: - Updated root README.md from v0.2.0 to v0.2.4 in installation instructions - Updated "Latest release" badge to v0.2.4 - Updated CHANGELOG.md with v0.2.1, 0.2.2, 0.2.3, and 0.2.4 entries - Added version comparison links for all releases URL Migrations: - Fixed all GitHub badge URLs from cpfarhood to privilegedescalation org - Updated plugin README.md repository URL placeholder - Ensured all references use privilegedescalation/headlamp-sealed-secrets-plugin Changelog Additions: - v0.2.4: Icon loading fix (Material-UI → Iconify) - v0.2.3: Superseded by v0.2.4 (checksum mismatch note) - v0.2.2: SDK downgrade to fix React context errors - v0.2.1: Removed invalid main field from package.json All version numbers, checksums, and URLs are now consistent across: - package.json: 0.2.4 - artifacthub-pkg.yml: 0.2.4 - README.md: 0.2.4 - CHANGELOG.md: 0.2.4 - GitHub releases: v0.2.4 Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
7.3 KiB
7.3 KiB
Headlamp Sealed Secrets Plugin
A comprehensive Headlamp plugin for managing Bitnami Sealed Secrets in Kubernetes clusters.
Features
🔐 Client-Side Encryption
- Encrypt secrets entirely in your browser using the controller's public key
- Never send plaintext values over the network
- Support for all three scoping modes: strict, namespace-wide, and cluster-wide
📋 Resource Management
- List View: Browse all SealedSecrets across namespaces with filtering
- Detail View: Inspect encrypted data, templates, and resulting Secrets
- Create: Easy-to-use dialog for creating new SealedSecrets
- Decrypt: View decrypted values (requires RBAC permissions to read Secrets)
- Re-encrypt: Rotate SealedSecrets with the current active key
🔑 Key Management
- View all sealing key pairs (active and compromised)
- Download the public certificate for use with
kubesealCLI - Monitor certificate validity periods
🔗 Integration
- Seamlessly integrates with Headlamp's Secret detail view
- Shows parent SealedSecret info on Secret pages
- Follows Headlamp's design patterns and UI components
Installation
Prerequisites
- Headlamp installed and running (v0.13.0 or later)
- Sealed Secrets controller installed on your Kubernetes cluster:
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
Install the Plugin
Option 1: From NPM (when published)
npm install -g headlamp-sealed-secrets
Option 2: Build from Source
git clone https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin
cd headlamp-sealed-secrets
npm install
npm run build
Then copy the dist folder to Headlamp's plugins directory:
- Linux:
~/.config/Headlamp/plugins/headlamp-sealed-secrets/ - macOS:
~/Library/Application Support/Headlamp/plugins/headlamp-sealed-secrets/ - Windows:
%APPDATA%\Headlamp\plugins\headlamp-sealed-secrets\
Option 3: Development Mode
npm start
This starts a development server with hot reload. Point Headlamp to the plugin directory.
Usage
Creating a SealedSecret
- Navigate to Sealed Secrets > All Sealed Secrets in the sidebar
- Click Create Sealed Secret
- Fill in:
- Secret name
- Namespace
- Scope (strict/namespace-wide/cluster-wide)
- Key-value pairs (values are masked by default)
- Click Create
The plugin will:
- Fetch the controller's public certificate
- Encrypt all values client-side in your browser
- Apply the SealedSecret to the cluster
- The controller will create the corresponding Kubernetes Secret
Viewing SealedSecrets
The list view shows:
- Name and namespace
- Number of encrypted keys
- Encryption scope
- Sync status (whether the Secret was successfully created)
- Age
Click on any SealedSecret to view details including:
- Encrypted data
- Template metadata
- Resulting Secret (with link to Secret detail view)
- Status conditions
Decrypting Values
On the detail view, click Decrypt next to any encrypted key to view its plaintext value.
Requirements:
- The SealedSecret must be synced (controller has created the Secret)
- You must have RBAC permissions to read Secrets in that namespace
Security: The decrypted value auto-hides after 30 seconds.
Managing Sealing Keys
Navigate to Sealed Secrets > Sealing Keys to:
- View all sealing key pairs
- See which key is active
- Check certificate validity periods
- Download the public certificate
Settings
Navigate to Sealed Secrets > Settings to configure:
- Controller name (default:
sealed-secrets-controller) - Controller namespace (default:
kube-system) - Controller port (default:
8080)
Settings are stored in your browser's local storage.
Architecture
Client-Side Encryption
The plugin implements the same encryption algorithm as kubeseal:
- Fetch the controller's public certificate via Kubernetes API proxy
- Parse the RSA public key from the PEM certificate
- For each secret value:
- Generate a random AES-256-GCM session key
- Encrypt the value with the session key
- Encrypt the session key with RSA-OAEP (SHA-256)
- Construct the sealed-secrets payload format
- Base64-encode the result
Security note: All encryption happens in the browser. Plaintext values never leave your machine.
Components
src/
├── index.tsx # Plugin registration
├── types.ts # TypeScript interfaces
├── components/
│ ├── SealedSecretList.tsx # List view
│ ├── SealedSecretDetail.tsx # Detail view
│ ├── EncryptDialog.tsx # Create dialog
│ ├── DecryptDialog.tsx # Decrypt modal
│ ├── SealingKeysView.tsx # Key management
│ ├── SettingsPage.tsx # Configuration
│ └── SecretDetailsSection.tsx # Secret integration
└── lib/
├── SealedSecretCRD.ts # CRD class
├── crypto.ts # Encryption logic
└── controller.ts # Controller API
Dependencies
- node-forge: RSA and AES cryptography
- @kinvolk/headlamp-plugin: Headlamp plugin SDK
- React, Material-UI: Provided by Headlamp at runtime
Development
# Install dependencies
npm install
# Type check
npm run tsc
# Lint
npm run lint
# Format code
npm run format
# Start development server
npm start
# Build for production
npm run build
# Run tests
npm test
Troubleshooting
"SealedSecrets CRD not found"
The Sealed Secrets controller is not installed on your cluster. Install it:
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
"Failed to fetch certificate"
Check:
- Controller is running:
kubectl get pods -n kube-system -l name=sealed-secrets-controller - Settings match your controller deployment (name, namespace, port)
- You have network connectivity to the cluster
"Secret not found" when decrypting
The SealedSecret hasn't been processed yet, or you don't have RBAC permissions to read Secrets. Check:
- SealedSecret status shows "Synced"
- Controller logs:
kubectl logs -n kube-system -l name=sealed-secrets-controller - Your RBAC permissions:
kubectl auth can-i get secrets -n <namespace>
Re-encrypt fails
The controller's /v1/rotate endpoint may not be exposed. This is typically only needed when rotating keys.
Contributing
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Make your changes with tests
- Run
npm run lintandnpm run tsc - Submit a pull request
License
Apache License 2.0 - See LICENSE file for details.
Related Projects
- Headlamp - The Kubernetes UI
- Sealed Secrets - The Sealed Secrets controller
- kubeseal - The CLI tool for Sealed Secrets
Credits
Built with ❤️ for the Kubernetes community.
- Uses the Headlamp Plugin SDK
- Follows patterns from official Headlamp plugins (Flux, cert-manager)
- Encryption algorithm compatible with kubeseal