Gandalf Greybeard
f08105e24f
- Target main branch explicitly - Set weekly schedule (weekends) - Limit concurrent PRs to 10 - Group minor/patch updates for npm and github-actions to reduce PR noise Ref: PRI-16 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Headlamp Sealed Secrets Plugin
A comprehensive Headlamp plugin for managing Bitnami Sealed Secrets with client-side encryption and RBAC-aware UI.
Features
- Client-side encryption using RSA-OAEP + AES-256-GCM
- List, view, create, and manage SealedSecrets
- View and download sealing key certificates
- Decrypt sealed values (requires RBAC permissions)
- RBAC-aware UI adapts to user permissions
- Support for all three scoping modes (strict, namespace-wide, cluster-wide)
- Type-safe implementation with branded types
- 92% test coverage
Quick Start
Installation
Option 1: Headlamp Plugin Manager (Recommended)
Browse the Headlamp Plugin Manager (Settings → Plugins → Catalog) and install sealed-secrets directly.
Option 2: Manual Tarball Install
Download the latest tarball from the Releases page, then extract it into your Headlamp plugins directory:
# macOS
tar -xzf sealed-secrets-*.tar.gz -C ~/Library/Application\ Support/Headlamp/plugins/
# Linux
tar -xzf sealed-secrets-*.tar.gz -C ~/.config/Headlamp/plugins/
# Restart Headlamp after installing
Option 3: Build from Source
git clone https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin.git
cd headlamp-sealed-secrets-plugin
npm install
npm run build
npx @kinvolk/headlamp-plugin extract . /headlamp/plugins
First Secret
# 1. Install Sealed Secrets controller (if not already installed)
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
# 2. In Headlamp UI:
# - Navigate to "Sealed Secrets" in sidebar
# - Click "Create Sealed Secret"
# - Fill in name, namespace, and secret data
# - Click "Create"
# 3. Verify the secret was created
kubectl get sealedsecret -A
kubectl get secret <your-secret-name> -n <namespace>
Documentation
Getting Started
- Installation Guide - Multiple installation methods (macOS, Linux, Windows)
- Quick Start Tutorial - Create your first sealed secret
User Guides
- Scopes Explained - Strict vs namespace-wide vs cluster-wide
- RBAC Permissions - Configure access control
Tutorials
- CI/CD Integration - GitHub Actions, GitLab CI, Jenkins
Reference
- Troubleshooting - Common issues and solutions
- API Reference - Auto-generated TypeScript docs
- Architecture ADRs - Design decisions and rationale
- Development Guide - Contributing and testing
Prerequisites
- Headlamp v0.13.0 or later
- Sealed Secrets controller in your cluster:
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml - kubectl access with appropriate RBAC permissions
Architecture
src/
├── index.tsx # Plugin entry point
├── types.ts # Branded types, Result type, interfaces
├── hooks/ # Custom React hooks (controller health, RBAC, encryption)
├── lib/ # Utility library (CRD, crypto, controller, RBAC, retry, validators)
└── components/ # React components (list, detail, dialogs, settings)
The plugin uses custom hooks and a utility library instead of a single data context provider. Client-side encryption is handled entirely in the browser via node-forge (RSA-OAEP + AES-256-GCM).
System Diagram
┌─────────────┐
│ Headlamp │
│ Browser │
└──────┬──────┘
│
├─ Client-Side Encryption (node-forge)
│ └─ RSA-OAEP + AES-256-GCM
│
├─ Headlamp Plugin
│ ├─ React Components (WCAG 2.1 AA)
│ ├─ Type-Safe API (Result types)
│ ├─ RBAC Integration
│ └─ Health Monitoring
│
▼
┌──────────────────┐
│ Kubernetes API │
└─────────┬────────┘
│
▼
┌──────────────────┐
│ Sealed Secrets │
│ Controller │
└──────────────────┘
Security
How It Works
The plugin encrypts secrets client-side before sending them to Kubernetes:
- User enters plaintext values in the browser
- Plugin fetches controller's public certificate
- Values are encrypted using RSA-OAEP + AES-256-GCM
- Only encrypted data is sent to Kubernetes
- Controller decrypts and creates the Secret
Plaintext values never leave your browser.
Security Features
| Feature | Implementation | Purpose |
|---|---|---|
| Client-Side Encryption | RSA-OAEP + AES-256-GCM | Plaintext never transmitted |
| Branded Types | TypeScript compile-time checks | Prevent mixing plaintext/encrypted |
| Certificate Validation | PEM parsing + expiry checks | Ensure valid encryption keys |
| RBAC Integration | SelfSubjectAccessReview API | Permission-aware UI |
| Input Validation | Kubernetes DNS-1123 format | Prevent invalid resources |
| Retry Logic | Exponential backoff + jitter | Resilient against transient failures |
Threat Model
| Threat | Mitigation | Status |
|---|---|---|
| Man-in-the-middle | Client-side encryption | ✅ Protected |
| Network sniffing | No plaintext on network | ✅ Protected |
| Compromised proxy | Only sees encrypted data | ✅ Protected |
| Browser XSS | Headlamp CSP policies | ⚠️ Standard web security |
| Supply chain | Package locks, dependabot | ⚠️ Ongoing monitoring |
See: ADR 003: Client-Side Encryption
Technical Details
Code Quality Metrics
| Metric | Value | Notes |
|---|---|---|
| Test Coverage | 92% | Unit + integration tests |
| TypeScript | 5.6.2 strict mode | Zero type errors |
| Dependencies | node-forge (crypto) | Minimal, audited dependencies |
Technology Stack
- Language: TypeScript 5.6.2 (strict mode)
- UI Framework: React 18 with hooks
- Crypto Library: node-forge (RSA-OAEP + AES-256-GCM)
- Testing: Vitest + React Testing Library
- Linting: ESLint + Prettier
- Build Tool: Headlamp plugin SDK
Architecture
- Result Types: Type-safe error handling (ADR 001)
- Branded Types: Compile-time type safety (ADR 002)
- Custom Hooks: Separated business logic (ADR 005)
- RBAC Integration: Permission-aware UI (ADR 004)
See: Architecture Decision Records for detailed design rationale
Contributing
We welcome contributions.
Quick Start for Contributors
# 1. Fork and clone
git clone https://github.com/YOUR_USERNAME/headlamp-sealed-secrets-plugin
cd headlamp-sealed-secrets-plugin
# 2. Install dependencies
npm install
# 3. Start development (hot reload)
npm start
# 4. Run tests
npm test
# 5. Lint and type-check
npm run lint
npm run tsc
Contribution Areas
| Area | What We Need | Good First Issue |
|---|---|---|
| Documentation | Tutorials, guides, examples | ✅ Yes |
| Testing | More test coverage, edge cases | ✅ Yes |
| Features | Bulk operations, secret templates | ⚠️ Discuss first |
| Bug Fixes | See open issues | ✅ Yes |
| Accessibility | ARIA improvements, keyboard nav | ✅ Yes |
| Translations | i18n support (future) | 📅 Planned |
Before Submitting
- Read Development Guide
- Tests pass (
npm test) - Lint passes (
npm run lint) - TypeScript compiles (
npm run tsc) - Documentation updated (if applicable)
- Changelog updated (if user-facing change)
See: Development Workflow | Testing Guide
Changelog
See CHANGELOG.md for version history.
See CHANGELOG.md for details on each release.
Issues & Support
Need Help?
-
** Check Documentation First**
- Troubleshooting Guide - Common issues and solutions
- User Guide - Feature documentation
- API Reference - TypeScript API docs
-
🔍 Search Existing Issues
-
** Ask the Community**
-
** Report a Bug**
- Create New Issue
- Include: Plugin version, Headlamp version, error messages, steps to reproduce
Common Issues
| Issue | Quick Fix | Guide |
|---|---|---|
| Plugin not loading | Check installation path | Installation |
| Controller not found | Install controller | Troubleshooting |
| Permission denied | Configure RBAC | RBAC Permissions |
| Encryption fails | Check certificate | Troubleshooting |
License
Apache License 2.0 - see LICENSE for details.
Credits
Built with:
- Headlamp - Kubernetes UI
- Sealed Secrets - Encryption controller
- node-forge - Cryptography library
Links
Project Resources
- Releases - Download plugin
- Documentation - Complete docs
- Issues - Bug reports
- Discussions - Q&A
- Changelog - Version history
External Resources
- Headlamp - Kubernetes UI framework
- Sealed Secrets - Encryption controller
- kubeseal CLI - Command-line tool
- Kubernetes RBAC - Access control