https://marktaguiad.dev/tags/secrets/ Recent content in Secrets on marktaguiad.dev Hugo en-us marktaguiad@marktaguiad.dev (Mark Taguiad) marktaguiad@marktaguiad.dev (Mark Taguiad) marktaguiad.dev Sun, 19 Apr 2026 00:00:00 +0000 https://marktaguiad.dev/post/k8s-sealed-secrets/ Sun, 19 Apr 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-sealed-secrets/ <p><img class="theme-image" src="https://marktaguiad.dev/images/devops/k8s-notes/k8s-sealed-secrets.png" data-light="/images/devops/k8s-notes/k8s-sealed-secrets.png" data-dark="/images/devops/k8s-notes/k8s-sealed-secrets-dark.png" alt="Secret" > k8s-sealed-secrets.png Managing secrets in Kubernetes is a bit tricky. Native <code>Secret</code> objects are only <code>base64-encoded</code>—not encrypted—making them unsafe for Git-based workflows. If you&rsquo;re doing GitOps (e.g., with Argo CD), committing raw secrets is not an option.</p> <p>This is where <a href="https://github.com/bitnami-labs/sealed-secrets">Sealed Secrets</a> comes in.</p> <h1 id="table-of-contents">Table of Contents</h1> <nav id="TableOfContents"> <ol> <li><a href="#why-sealed-secret">Why Sealed Secret?</a></li> <li><a href="#install">Install</a> <ol> <li><a href="#cluster">Cluster</a></li> <li><a href="#client">Client</a></li> <li><a href="#certificate">Certificate</a></li> </ol> </li> <li><a href="#key">Key</a></li> <li><a href="#example">Example</a> <ol> <li><a href="#default-k8s-secrets">Default K8S Secrets</a></li> <li><a href="#sealed-secret">Sealed Secret</a></li> <li><a href="#git">Git</a></li> </ol> </li> </ol> </nav> <h3 id="why-sealed-secret">Why Sealed Secret?</h3> <p>Sealed Secrets uses asymmetric encryption to solve one problem:</p>