Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Sealed Secrets

This chart contains the resources to use sealed-secrets.


  • Kubernetes >= 1.9

Installing the Chart

To install the chart with the release name my-release:

$ helm install --namespace kube-system --name my-release stable/sealed-secrets

The command deploys a controller and CRD for sealed secrets on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.

Uninstalling the Chart

To uninstall/delete the my-release deployment:

$ helm delete [--purge] my-release

The command removes all the Kubernetes components associated with the chart and deletes the release.

Using kubeseal

Install the kubeseal CLI by downloading the binary from sealed-secrets/releases.

Fetch the public key by passing the release name and namespace:

kubeseal --fetch-cert \
--controller-name=my-release \
--controller-namespace=my-release-namespace \
> pub-cert.pem

Read about kubeseal usage on sealed-secrets docs.


Parameter Description Default
controller.create true if Sealed Secrets controller resources should be created true
rbac.create true if rbac resources should be created true
rbac.pspEnabled true if psp resources should be created false
serviceAccount.create Whether to create a service account or not true The name of the service account to create or use "sealed-secrets-controller"
secretName The name of the TLS secret containing the key used to encrypt secrets "sealed-secrets-key"
image.tag The Sealed Secrets image tag v0.9.6
image.pullPolicy The image pull policy for the deployment IfNotPresent
image.repository The repository to get the controller image from
resources CPU/Memory resource requests/limits {}
crd.create true if crd resources should be created true
crd.keep true if the sealed secret CRD should be kept when the chart is deleted true
networkPolicy Whether to create a network policy that allows access to the service false
securityContext.runAsUser Defines under which user the operator Pod and its containers/processes run 1001
commandArgs Set optional command line arguments passed to the controller process []
ingress.enabled Enables Ingress false
ingress.annotations Ingress annotations {}
ingress.path Ingress path /v1/cert.pem
ingress.hosts Ingress accepted hostnames ["chart-example.local"]
ingress.tls Ingress TLS configuration []
  • In the case that serviceAccount.create is false and rbac.create is true it is expected for a service account with the name to exist in the same namespace as this chart before installation.
  • If serviceAccount.create is true there cannot be an existing service account with the name
  • If a secret with name secretName does not exist in the same namespace as this chart, then on install one will be created. If a secret already exists with this name the keys inside will be used.
You can’t perform that action at this time.