Headlamp Sealed Secrets Plugin

A comprehensive Headlamp plugin for managing Bitnami Sealed Secrets with client-side encryption and RBAC-aware UI.

Features

• Client-side encryption using RSA-OAEP + AES-256-GCM
• List, view, create, and manage SealedSecrets
• View and download sealing key certificates
• Decrypt sealed values (requires RBAC permissions)
• RBAC-aware UI adapts to user permissions
• Support for all three scoping modes (strict, namespace-wide, cluster-wide)
• Type-safe implementation with branded types
• 92% test coverage

Quick Start

Installation

Option 1: Headlamp Plugin Manager (Recommended)

Browse the Headlamp Plugin Manager (Settings → Plugins → Catalog) and install sealed-secrets directly.

Option 2: Manual Tarball Install

Download the latest tarball from the Releases page, then extract it into your Headlamp plugins directory:

# macOS
tar -xzf sealed-secrets-*.tar.gz -C ~/Library/Application\ Support/Headlamp/plugins/

# Linux
tar -xzf sealed-secrets-*.tar.gz -C ~/.config/Headlamp/plugins/

# Restart Headlamp after installing

Option 3: Build from Source

git clone https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin.git
cd headlamp-sealed-secrets-plugin
npm install
npm run build
npx @kinvolk/headlamp-plugin extract . /headlamp/plugins

First Secret

# 1. Install Sealed Secrets controller (if not already installed)
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml

# 2. In Headlamp UI:
#    - Navigate to "Sealed Secrets" in sidebar
#    - Click "Create Sealed Secret"
#    - Fill in name, namespace, and secret data
#    - Click "Create"

# 3. Verify the secret was created
kubectl get sealedsecret -A
kubectl get secret <your-secret-name> -n <namespace>

Documentation

Getting Started

• Installation Guide - Multiple installation methods (macOS, Linux, Windows)
• Quick Start Tutorial - Create your first sealed secret

User Guides

• Scopes Explained - Strict vs namespace-wide vs cluster-wide
• RBAC Permissions - Configure access control

Tutorials

• CI/CD Integration - GitHub Actions, GitLab CI, Jenkins

Reference

• Troubleshooting - Common issues and solutions
• API Reference - Auto-generated TypeScript docs
• Architecture ADRs - Design decisions and rationale
• Development Guide - Contributing and testing

Prerequisites

• Headlamp v0.13.0 or later
• Sealed Secrets controller in your cluster:

  kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
  

• kubectl access with appropriate RBAC permissions

Architecture

src/
├── index.tsx              # Plugin entry point
├── types.ts               # Branded types, Result type, interfaces
├── hooks/                 # Custom React hooks (controller health, RBAC, encryption)
├── lib/                   # Utility library (CRD, crypto, controller, RBAC, retry, validators)
└── components/            # React components (list, detail, dialogs, settings)

The plugin uses custom hooks and a utility library instead of a single data context provider. Client-side encryption is handled entirely in the browser via node-forge (RSA-OAEP + AES-256-GCM).

System Diagram

┌─────────────┐
│   Headlamp  │
│   Browser   │
└──────┬──────┘
       │
       ├─ Client-Side Encryption (node-forge)
       │  └─ RSA-OAEP + AES-256-GCM
       │
       ├─ Headlamp Plugin
       │  ├─ React Components (WCAG 2.1 AA)
       │  ├─ Type-Safe API (Result types)
       │  ├─ RBAC Integration
       │  └─ Health Monitoring
       │
       ▼
┌──────────────────┐
│  Kubernetes API  │
└─────────┬────────┘
          │
          ▼
┌──────────────────┐
│ Sealed Secrets   │
│   Controller     │
└──────────────────┘

Security

How It Works

The plugin encrypts secrets client-side before sending them to Kubernetes:

1. User enters plaintext values in the browser
2. Plugin fetches controller's public certificate
3. Values are encrypted using RSA-OAEP + AES-256-GCM
4. Only encrypted data is sent to Kubernetes
5. Controller decrypts and creates the Secret

Plaintext values never leave your browser.

Security Features

Feature	Implementation	Purpose
Client-Side Encryption	RSA-OAEP + AES-256-GCM	Plaintext never transmitted
Branded Types	TypeScript compile-time checks	Prevent mixing plaintext/encrypted
Certificate Validation	PEM parsing + expiry checks	Ensure valid encryption keys
RBAC Integration	SelfSubjectAccessReview API	Permission-aware UI
Input Validation	Kubernetes DNS-1123 format	Prevent invalid resources
Retry Logic	Exponential backoff + jitter	Resilient against transient failures

Threat Model

Threat	Mitigation	Status
Man-in-the-middle	Client-side encryption	✅ Protected
Network sniffing	No plaintext on network	✅ Protected
Compromised proxy	Only sees encrypted data	✅ Protected
Browser XSS	Headlamp CSP policies	⚠️ Standard web security
Supply chain	Package locks, dependabot	⚠️ Ongoing monitoring

See: ADR 003: Client-Side Encryption

Technical Details

Code Quality Metrics

Metric	Value	Notes
Test Coverage	92%	Unit + integration tests
TypeScript	5.6.2 strict mode	Zero type errors
Dependencies	node-forge (crypto)	Minimal, audited dependencies

Technology Stack

• Language: TypeScript 5.6.2 (strict mode)
• UI Framework: React 18 with hooks
• Crypto Library: node-forge (RSA-OAEP + AES-256-GCM)
• Testing: Vitest + React Testing Library
• Linting: ESLint + Prettier
• Build Tool: Headlamp plugin SDK

Architecture

• Result Types: Type-safe error handling (ADR 001)
• Branded Types: Compile-time type safety (ADR 002)
• Custom Hooks: Separated business logic (ADR 005)
• RBAC Integration: Permission-aware UI (ADR 004)

See: Architecture Decision Records for detailed design rationale

Contributing

We welcome contributions.

Quick Start for Contributors

# 1. Fork and clone
git clone https://github.com/YOUR_USERNAME/headlamp-sealed-secrets-plugin
cd headlamp-sealed-secrets-plugin

# 2. Install dependencies
npm install

# 3. Start development (hot reload)
npm start

# 4. Run tests
npm test

# 5. Lint and type-check
npm run lint
npm run tsc

Contribution Areas

Area	What We Need	Good First Issue
Documentation	Tutorials, guides, examples	✅ Yes
Testing	More test coverage, edge cases	✅ Yes
Features	Bulk operations, secret templates	⚠️ Discuss first
Bug Fixes	See open issues	✅ Yes
Accessibility	ARIA improvements, keyboard nav	✅ Yes
Translations	i18n support (future)	📅 Planned

Before Submitting

• Read Development Guide
• Tests pass (npm test)
• Lint passes (npm run lint)
• TypeScript compiles (npm run tsc)
• Documentation updated (if applicable)
• Changelog updated (if user-facing change)

See: Development Workflow | Testing Guide

Changelog

See CHANGELOG.md for version history.

See CHANGELOG.md for details on each release.

Issues & Support

Need Help?

1. ** Check Documentation First**

   • Troubleshooting Guide - Common issues and solutions
   • User Guide - Feature documentation
   • API Reference - TypeScript API docs

2. 🔍 Search Existing Issues

   • Open Issues
   • Closed Issues

3. ** Ask the Community**

   • GitHub Discussions

4. ** Report a Bug**

   • Create New Issue
   • Include: Plugin version, Headlamp version, error messages, steps to reproduce

Common Issues

Issue	Quick Fix	Guide
Plugin not loading	Check installation path	Installation
Controller not found	Install controller	Troubleshooting
Permission denied	Configure RBAC	RBAC Permissions
Encryption fails	Check certificate	Troubleshooting

License

Apache License 2.0 - see LICENSE for details.

Credits

Built with:

• Headlamp - Kubernetes UI
• Sealed Secrets - Encryption controller
• node-forge - Cryptography library

Links

Project Resources

• Releases - Download plugin
• Documentation - Complete docs
• Issues - Bug reports
• Discussions - Q&A
• Changelog - Version history

External Resources

• Headlamp - Kubernetes UI framework
• Sealed Secrets - Encryption controller
• kubeseal CLI - Command-line tool
• Kubernetes RBAC - Access control

Test runner