Skip to main content

Securing Kubernetes Secrets with Sealed Secrets and Runme

Runme provides a platform for documenting processes and instructions. It integrates swiftly with cloud infrastructures, including Kubernetes and its resources.

This guide will explore one such resource, Kubernetes secrets, with a specific focus on Sealed Secrets.

Sealed Secrets is an open-source project that helps encrypt Kubernetes secrets, which can then be securely stored in your version control. Runme makes securing these secrets easier.

In this guide, we will demonstrate the steps required to encrypt Kubernetes secrets with Sealed Secrets in Runme successfully.


To get started, ensure you have the following:

This guide will focus on using the Mac specifications. If you use a Linux OS, follow the instructions in the Linux Markdown files.

Install all Dependencies

To follow up on securing your secrets using Sealed Secrets, ensure you install the necessary dependencies in the notebook's prerequisite section. In your Runme cell, run the commands below to install all dependencies required for this guide.

Encrypt a Secret in Runme

To encrypt a secret, you must create a Kubernetes secret using kubeseal. Navigate to your cloned repo's ‘Encrypt a Secret’ section and choose your preferred encryption method from the options provided. Once that is done, run the command below in your Runme cell.

Runme will automatically create a Sealed Secret resource containing the encrypted data, the mysealedsecret.yaml

Adding New Value to A Secret

You can add a new value to your secret by navigating to this section and executing the commands. You only need to update your manifest file with the new values, re-encrypt the secrets, and then reapply them to the cluster. All of these can be executed in your Runme cell. The image below shows a visual representation of this process.

From the output gotten, you can see that your new value has successfully been added.

add value

Decrypt a Secret

To retrieve the original version of runme-secrets.yaml, you can decrypt the encrypted secret, mysealedsecret.yaml. Run the command in the ‘Decrypt a Secret’ section of the repo and run it in your Runme cell.

kubeseal --controller-name=sealed-secrets-controller --controller-namespace=kube-system  < mysealedsecret.yaml > mysecrets.yaml

Delete a Secret

To delete the secret, use the kubectl command to delete the resource and run it in your Runme cell.

kubectl delete -f mysealedsecret.yaml

Deploy the Sealed Secret

To deploy your secret, execute the code below:

kubectl apply -f mysealedsecret.yaml

deploy sealed

The Sealed Secrets controller will decrypt the Sealed Secret and create a Kubernetes Secret with the decrypted data.

Make sure to replace placeholders like mysecret.yaml and mysealedsecret.yaml with your secret and Sealed Secret filenames. Adjust controller-specific details such as the namespace and name according to your environment.

How Runme Improves Your Documentation Experience

In this guide, we explored how to encrypt, decrypt, delete, deploy a Kubernetes secrtes using sealed secrets and Runme. Runme made the process of carrying all these operations out swiftly by utilizing its features.

Some key features of Runme that make it stand out include:

  • Its ability to simplify the copying and pasting of commands and codes,
  • Run tasks in the background, interact with your terminal,
  • Render images and tables inside your markdown files,
  • Run code in your preferred language.

These are just a few of the things you can achieve in Runme. To explore Runme more, visit the Runme Documentation, where you can embark on a guided journey to a more secure Kubernetes environment.