Chris Farhood
8a5c8971b1
Move artifacthub-pkg.yml from headlamp-sealed-secrets/ to repository root to match ArtifactHub indexing requirements for Headlamp plugins. This follows the same pattern as the polaris plugin and ensures ArtifactHub can properly discover and index version 0.2.4 with the correct checksum. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
Headlamp Sealed Secrets Plugin
A comprehensive Headlamp plugin for managing Bitnami Sealed Secrets with client-side encryption and RBAC-aware UI.
Features
- Client-side encryption using RSA-OAEP + AES-256-GCM
- List, view, create, and manage SealedSecrets
- View and download sealing key certificates
- Decrypt sealed values (requires RBAC permissions)
- RBAC-aware UI adapts to user permissions
- Support for all three scoping modes (strict, namespace-wide, cluster-wide)
- Type-safe implementation with branded types
- 92% test coverage
Quick Start
Installation
# 1. Download and extract plugin
curl -LO https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/download/v0.2.4/headlamp-sealed-secrets-0.2.4.tar.gz
tar -xzf headlamp-sealed-secrets-0.2.4.tar.gz -C ~/Library/Application\ Support/Headlamp/plugins/
# 2. Restart Headlamp
# macOS: Cmd+Q then reopen
# Linux: killall headlamp && headlamp
First Secret
# 1. Install Sealed Secrets controller (if not already installed)
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
# 2. In Headlamp UI:
# - Navigate to "Sealed Secrets" in sidebar
# - Click "Create Sealed Secret"
# - Fill in name, namespace, and secret data
# - Click "Create"
# 3. Verify the secret was created
kubectl get sealedsecret -A
kubectl get secret <your-secret-name> -n <namespace>
Documentation
Getting Started
- Installation Guide - Multiple installation methods (macOS, Linux, Windows)
- Quick Start Tutorial - Create your first sealed secret
User Guides
- Creating Secrets - Encrypt and create sealed secrets
- Managing Keys - View and download sealing certificates
- Scopes Explained - Strict vs namespace-wide vs cluster-wide
- RBAC Permissions - Configure access control
Tutorials
- CI/CD Integration - GitHub Actions, GitLab CI, Jenkins
- Multi-Cluster Setup - Manage secrets across clusters
- Secret Rotation - Rotate secrets and sealing keys safely
Reference
- Troubleshooting - Common issues and solutions
- API Reference - Auto-generated TypeScript docs
- Architecture ADRs - Design decisions and rationale
- Development Guide - Contributing and testing
Prerequisites
- Headlamp v0.13.0 or later
- Sealed Secrets controller in your cluster:
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml - kubectl access with appropriate RBAC permissions
Architecture
┌─────────────┐
│ Headlamp │
│ Browser │
└──────┬──────┘
│
├─ Client-Side Encryption (node-forge)
│ └─ RSA-OAEP + AES-256-GCM
│
├─ Headlamp Plugin
│ ├─ React Components (WCAG 2.1 AA)
│ ├─ Type-Safe API (Result types)
│ ├─ RBAC Integration
│ └─ Health Monitoring
│
▼
┌──────────────────┐
│ Kubernetes API │
└─────────┬────────┘
│
▼
┌──────────────────┐
│ Sealed Secrets │
│ Controller │
└──────────────────┘
Security
How It Works
The plugin encrypts secrets client-side before sending them to Kubernetes:
- User enters plaintext values in the browser
- Plugin fetches controller's public certificate
- Values are encrypted using RSA-OAEP + AES-256-GCM
- Only encrypted data is sent to Kubernetes
- Controller decrypts and creates the Secret
Plaintext values never leave your browser.
Security Features
| Feature | Implementation | Purpose |
|---|---|---|
| Client-Side Encryption | RSA-OAEP + AES-256-GCM | Plaintext never transmitted |
| Branded Types | TypeScript compile-time checks | Prevent mixing plaintext/encrypted |
| Certificate Validation | PEM parsing + expiry checks | Ensure valid encryption keys |
| RBAC Integration | SelfSubjectAccessReview API | Permission-aware UI |
| Input Validation | Kubernetes DNS-1123 format | Prevent invalid resources |
| Retry Logic | Exponential backoff + jitter | Resilient against transient failures |
Threat Model
| Threat | Mitigation | Status |
|---|---|---|
| Man-in-the-middle | Client-side encryption | ✅ Protected |
| Network sniffing | No plaintext on network | ✅ Protected |
| Compromised proxy | Only sees encrypted data | ✅ Protected |
| Browser XSS | Headlamp CSP policies | ⚠️ Standard web security |
| Supply chain | Package locks, dependabot | ⚠️ Ongoing monitoring |
See: Security Hardening Guide | ADR 003: Client-Side Encryption
Technical Details
Code Quality Metrics
| Metric | Value | Notes |
|---|---|---|
| Bundle Size | 359.73 kB (98.79 kB gzipped) | Optimized with tree-shaking |
| Test Coverage | 92% (36/39 passing) | Unit + integration tests |
| TypeScript | 5.6.2 strict mode | Zero type errors |
| Lines of Code | 4,767 TypeScript/React | Well-documented with JSDoc |
| Build Time | ~4 seconds | Fast development iteration |
| Dependencies | node-forge (crypto) | Minimal, audited dependencies |
Technology Stack
- Language: TypeScript 5.6.2 (strict mode)
- UI Framework: React 18 with hooks
- Crypto Library: node-forge (RSA-OAEP + AES-256-GCM)
- Testing: Vitest + React Testing Library
- Linting: ESLint + Prettier
- Build Tool: Headlamp plugin SDK
Architecture
- Result Types: Type-safe error handling (ADR 001)
- Branded Types: Compile-time type safety (ADR 002)
- Custom Hooks: Separated business logic (ADR 005)
- RBAC Integration: Permission-aware UI (ADR 004)
See: Architecture Decision Records for detailed design rationale
Contributing
We welcome contributions.
Quick Start for Contributors
# 1. Fork and clone
git clone https://github.com/YOUR_USERNAME/headlamp-sealed-secrets-plugin
cd headlamp-sealed-secrets-plugin/headlamp-sealed-secrets
# 2. Install dependencies
npm install
# 3. Start development (hot reload)
npm start
# 4. Run tests
npm test
# 5. Lint and type-check
npm run lint
npm run tsc
Contribution Areas
| Area | What We Need | Good First Issue |
|---|---|---|
| Documentation | Tutorials, guides, examples | ✅ Yes |
| Testing | More test coverage, edge cases | ✅ Yes |
| Features | Bulk operations, secret templates | ⚠️ Discuss first |
| Bug Fixes | See open issues | ✅ Yes |
| Accessibility | ARIA improvements, keyboard nav | ✅ Yes |
| Translations | i18n support (future) | 📅 Planned |
Before Submitting
- Read Development Guide
- Tests pass (
npm test) - Lint passes (
npm run lint) - TypeScript compiles (
npm run tsc) - Documentation updated (if applicable)
- Changelog updated (if user-facing change)
See: Development Workflow | Testing Guide
Changelog
See CHANGELOG.md for version history.
Latest release (v0.2.4): Type-safe error handling, RBAC integration, accessibility improvements, and 92% test coverage.
Issues & Support
Need Help?
-
** Check Documentation First**
- Troubleshooting Guide - Common issues and solutions
- User Guide - Feature documentation
- API Reference - TypeScript API docs
-
🔍 Search Existing Issues
-
** Ask the Community**
-
** Report a Bug**
- Create New Issue
- Include: Plugin version, Headlamp version, error messages, steps to reproduce
Common Issues
| Issue | Quick Fix | Guide |
|---|---|---|
| Plugin not loading | Check installation path | Installation |
| Controller not found | Install controller | Controller Issues |
| Permission denied | Configure RBAC | Permission Errors |
| Encryption fails | Check certificate | Encryption Failures |
License
Apache License 2.0 - see LICENSE for details.
Credits
Built with:
- Headlamp - Kubernetes UI
- Sealed Secrets - Encryption controller
- node-forge - Cryptography library
Links
Project Resources
- Releases - Download plugin
- Documentation - Complete docs
- Issues - Bug reports
- Discussions - Q&A
- Changelog - Version history
External Resources
- Headlamp - Kubernetes UI framework
- Sealed Secrets - Encryption controller
- kubeseal CLI - Command-line tool
- Kubernetes RBAC - Access control