Back to home

Sealed Secrets

Sealed Secrets encrypts Kubernetes Secrets so you can store them in git without any worries.


Usually the content of Kubernetes Secret definitions is unencrypted which means it is not recommended to store them alongside other Kubernetes definitions in version control or anywhere that is not a secured environment. This adds manual and error-prone steps to your application deployment. As a solution to this, we are running a controller that will take care of decrypting your Sealed Secrets and turning them into normal Secret objects.


Sealed Secrets are available as standard with nine Managed GKE.


The easiest way to create a Sealed Secret is to use our generator on runway.

  1. Generate a new Sealed Secret by filling out the form in the Secrets Generator Tab.

  2. Download the Sealed Secret.

  3. Apply it via kubectl.

    $ kubectl apply -f ~/Downloads/cloudsql-prod.yaml created
  4. Read back the Secret resource that the controller created for us.

    $ kubectl get secret cloudsql-prod --template={{.data.password}} | base64 -d

To delete the Secret again, you can just delete the Sealed Secret and the controller will also remove the Secret object.

$ kubectl delete sealedsecret cloudsql-prod "cloudsql-prod" deleted

Note that in a production scenario we do not recommend you to apply the Sealed Secret locally with kubectl, but instead store it in your configuration repository and let Argo CD take care of creating it.

Didn't find what you were looking for?

Contact our support:

+41 44 637 40 40 Support Portal