Skip to main content

Sealed Secrets

Encrypt your Secret into a SealedSecret, which is safe to store - even inside a public repository.


Bitnami Sealed Secrets is a controller that allows you to encrypt your kubernetes secrets and store them in a secure manner, even in public repositories. The controller works by encrypting your secret into a SealedSecret, which can only be decrypted by the sealed secrets controller in your cluster.

Bring your own certificates


You can use your certificates for the disaster recovery purpose. Please make sure to download encryption keys.

While the controller generates its own certificates upon deployment, you also have the option to bring your own certificates. This allows the controller to consume certificates from a secret labeled with The Secret should reside in the sealed-secrets namespace, which must be the same as the controller's namespace. You can have multiple secrets with this label.

To configure the certificates, add the following to the values.yaml when installing Otomi:

enabled: true
apiVersion: v1
- apiVersion: v1
tls.crt: <tls-crt>
tls.key: <tls-key>
kind: Secret
generateName: sealed-secrets-key
labels: active
name: <sealed-secrets-name>
namespace: sealed-secrets
kind: List

Make sure to replace <tls-crt>, <tls-key>, <sealed-secrets-name> with your actual certificate data and sealed secrets name.