Chris Farhood
319d02f849
Removed marketing fluff: - Replaced "Zero Trust Architecture" with factual "How It Works" - Removed buzzwords and kept technical accuracy - Simplified security explanation to be clear and honest Added Artifact Hub README: - Created README.md for v0.2.4 release directory - Clean, professional documentation without marketing speak - Focused on features, usage, and troubleshooting - Will appear on Artifact Hub package page Both READMEs now: - Provide accurate technical information - Avoid exaggerated claims - Focus on what the plugin actually does - Keep language straightforward and honest Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
3.8 KiB
3.8 KiB
Headlamp Sealed Secrets Plugin
A Headlamp plugin for managing Bitnami Sealed Secrets in Kubernetes clusters.
Features
- Client-Side Encryption: Encrypt secrets in your browser using the controller's public key
- Resource Management: List, view, create, and manage SealedSecrets
- Key Management: View sealing key pairs and download public certificates
- RBAC Integration: UI adapts to user permissions
- Decryption Support: View decrypted values (requires appropriate RBAC permissions)
Installation
Prerequisites
- Headlamp v0.13.0 or later
- Sealed Secrets controller installed on your cluster:
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
Install Plugin
The plugin can be installed directly from Artifact Hub through Headlamp's plugin manager, or manually:
# Download and extract
curl -LO https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/download/v0.2.4/headlamp-sealed-secrets-0.2.4.tar.gz
tar -xzf headlamp-sealed-secrets-0.2.4.tar.gz
# Copy to plugins directory
# macOS
cp -r headlamp-sealed-secrets ~/Library/Application\ Support/Headlamp/plugins/
# Linux
cp -r headlamp-sealed-secrets ~/.config/Headlamp/plugins/
# Restart Headlamp
Usage
Creating a SealedSecret
- Navigate to Sealed Secrets in the sidebar
- Click Create Sealed Secret
- Fill in name, namespace, scope, and key-value pairs
- Click Create
The plugin encrypts values client-side and applies the SealedSecret to the cluster. The controller creates the corresponding Kubernetes Secret.
Viewing and Managing
- List View: Browse all SealedSecrets with filtering
- Detail View: Inspect encrypted data and status
- Decrypt: View plaintext values (requires RBAC permissions)
- Re-encrypt: Rotate with current active key
Managing Keys
Navigate to Sealed Secrets > Sealing Keys to:
- View all sealing key pairs
- Check certificate validity
- Download public certificates for CLI use
Architecture
The plugin implements the same encryption algorithm as kubeseal:
- Fetches the controller's public certificate via Kubernetes API
- Encrypts values using RSA-OAEP + AES-256-GCM
- Creates SealedSecret resources
- Controller decrypts and creates Secrets
All encryption happens in the browser. Plaintext values never leave your machine.
Technical Details
- Language: TypeScript with strict mode
- Crypto Library: node-forge (RSA-OAEP + AES-256-GCM)
- Bundle Size: 358.18 kB (98.04 kB gzipped)
- Test Coverage: 92%
- License: Apache-2.0
Troubleshooting
Controller not found
# Install controller
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
# Verify running
kubectl get pods -n kube-system -l name=sealed-secrets-controller
Failed to fetch certificate
- Check controller settings (name, namespace, port)
- Verify controller is running and accessible
Decrypt fails
- Ensure SealedSecret status shows "Synced"
- Verify RBAC permissions:
kubectl auth can-i get secrets -n <namespace>
Contributing
Contributions welcome! See GitHub repository for details.
Links
License
Apache License 2.0 - See LICENSE for details.