Tanzu Application Catalog services

Bitnami package for Sealed Secrets

Last Updated March 07, 2025

Sealed Secrets are “one-way” encrypted K8s Secrets that can be created by anyone, but can only be decrypted by the controller running in the target cluster recovering the original object.

Overview of Sealed Secrets

TL;DR

helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/sealed-secrets

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository.

Introduction

Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads.

This chart bootstraps a Sealed Secret controller Deployment in Kubernetes using the Helm package manager.

Bitnami charts can be used with Kubeapps for deployment and management of Helm Charts in clusters.

Prerequisites

  • Kubernetes 1.16+
  • Helm 3.8.0+

Installing the Chart

To install the chart with the release name my-release:

helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/sealed-secrets

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts.

The command deploys the Sealed Secrets controller on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.

Tip: List all releases using helm list

Configuration and installation details

Resource requests and limits

Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the resources value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.

To make this process easier, the chart contains the resourcesPreset values, which automatically sets the resources section according to different presets. Check these presets in the bitnami/common chart. However, in production workloads using resourcesPreset is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the official Kubernetes documentation.

Prometheus metrics

This chart can be integrated with Prometheus by setting metrics.enabled to true. This will expose the Sealed Secrets native Prometheus port in in the containers. Additionally, it will create a metrics service configurable via metrics.service section. This service will also have the necessary annotations to be automatically scraped by Prometheus.

Prometheus requirements

It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the Bitnami Prometheus helm chart or the Bitnami Kube Prometheus helm chart to easily have a working Prometheus in your cluster.

Integration with Prometheus Operator

The chart can deploy ServiceMonitor objects for integration with Prometheus Operator installations. To do so, set the value metrics.serviceMonitor.enabled=true. Ensure that the Prometheus Operator CustomResourceDefinitions are installed in the cluster or it will fail with the following error:

no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1"

Install the Bitnami Kube Prometheus helm chart for having the necessary CRDs and the Prometheus Operator.

Backup and restore

To back up and restore Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using Velero, a Kubernetes backup/restore tool. Find the instructions for using Velero in this guide.

Using kubeseal

The easiest way to interact with the Sealed Secrets controller is using the kubeseal utility. You can install this CLI by downloading the binary from sealed-secrets/releases page.

Once installed, you can start using it to encrypt your secrets or fetching the controller public certificate as shown in the example below:

$ kubeseal --fetch-cert \
--controller-name=my-release \
--controller-namespace=my-release-namespace \
> pub-cert.pem

Refer to Sealed Secrets documentation for more information about kubeseal usage.

Rolling VS Immutable tags

It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.

Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.

Ingress

This chart provides support for Ingress resources. If you have an ingress controller installed on your cluster, such as nginx-ingress-controller or contour you can utilize the ingress controller to serve your application.To enable Ingress integration, set ingress.enabled to true.

The most common scenario is to have one host name mapped to the deployment. In this case, the ingress.hostname property can be used to set the host name. The ingress.tls parameter can be used to add the TLS configuration for this host.

However, it is also possible to have more than one host. To facilitate this, the ingress.extraHosts parameter (if available) can be set with the host names specified as an array. The ingress.extraTLS parameter (if available) can also be used to add the TLS configuration for extra hosts.

NOTE: For each host specified in the ingress.extraHosts parameter, it is necessary to set a name, path, and any annotations that the Ingress controller should know about. Not all annotations are supported by all Ingress controllers, but this annotation reference document lists the annotations supported by many popular Ingress controllers.

Adding the TLS parameter (where available) will cause the chart to generate HTTPS URLs, and the application will be available on port 443. The actual TLS secrets do not have to be generated by this chart. However, if TLS is enabled, the Ingress record will not work until the TLS secret exists.

Learn more about Ingress controllers.

Securing traffic using TLS

This chart facilitates the creation of TLS secrets for use with the Ingress controller (although this is not mandatory). There are several common use cases:

  • Generate certificate secrets based on chart parameters.
  • Enable externally generated certificates.
  • Manage application certificates via an external service (like cert-manager).
  • Create self-signed certificates within the chart (if supported).

In the first two cases, a certificate and a key are needed. Files are expected in .pem format.

Here is an example of a certificate file:

NOTE: There may be more than one certificate if there is a certificate chain.

-----BEGIN CERTIFICATE-----
MIID6TCCAtGgAwIBAgIJAIaCwivkeB5EMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
...
jScrvkiBO65F46KioCL9h5tDvomdU1aqpI/CBzhvZn1c0ZTf87tGQR8NK7v7
-----END CERTIFICATE-----

Here is an example of a certificate key:

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvLYcyu8f3skuRyUgeeNpeDvYBCDcgq+LsWap6zbX5f8oLqp4
...
wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc=
-----END RSA PRIVATE KEY-----
  • If using Helm to manage the certificates based on the parameters, copy these values into the certificate and key values for a given *.ingress.secrets entry.
  • If managing TLS secrets separately, it is necessary to create a TLS secret with name INGRESS_HOSTNAME-tls (where INGRESS_HOSTNAME is a placeholder to be replaced with the hostname you set using the *.ingress.hostname parameter).
  • If your cluster has a cert-manager add-on to automate the management and issuance of TLS certificates, add to *.ingress.annotations the corresponding ones for cert-manager.
  • If using self-signed certificates created by Helm, set both *.ingress.tls and *.ingress.selfSigned to true.

Sidecars

If additional containers are needed in the same pod as Sealed Secrets (such as additional metrics or logging exporters), they can be defined using the sidecars parameter.

sidecars:
- name: your-image-name
  image: your-image
  imagePullPolicy: Always
  ports:
  - name: portname
    containerPort: 1234

If these sidecars export extra ports, extra port definitions can be added using the service.extraPorts parameter (where available), as shown in the example below:

service:
  extraPorts:
  - name: extraPort
    port: 11311
    targetPort: 11311

NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the --enable-metrics=true parameter at deployment time. The sidecars parameter should therefore only be used for any extra sidecar containers.

If additional init containers are needed in the same pod, they can be defined using the initContainers parameter. Here is an example:

initContainers:
  - name: your-image-name
    image: your-image
    imagePullPolicy: Always
    ports:
      - name: portname
        containerPort: 1234

Learn more about sidecar containers and init containers.

Pod affinity

This chart allows you to set your custom affinity using the affinity parameter. Find more information about Pod affinity in the kubernetes documentation.

As an alternative, use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the bitnami/common chart. To do so, set the podAffinityPreset, podAntiAffinityPreset, or nodeAffinityPreset parameters.

Parameters

Global parameters

NameDescriptionValue
global.imageRegistryGlobal Docker image registry""
global.imagePullSecretsGlobal Docker registry secret names as an array[]
global.security.allowInsecureImagesAllows skipping image verificationfalse
global.compatibility.openshift.adaptSecurityContextAdapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)auto

Common parameters

NameDescriptionValue
kubeVersionOverride Kubernetes version""
nameOverrideString to partially override common.names.fullname""
fullnameOverrideString to fully override common.names.fullname""
namespaceOverrideString to fully override common.names.namespace""
commonLabelsLabels to add to all deployed objects{}
commonAnnotationsAnnotations to add to all deployed objects{}
clusterDomainKubernetes cluster domain namecluster.local
extraDeployArray of extra objects to deploy with the release[]

Sealed Secrets Parameters

NameDescriptionValue
image.registrySealed Secrets image registryREGISTRY_NAME
image.repositorySealed Secrets image repositoryREPOSITORY_NAME/sealed-secrets
image.digestSealed Secrets image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag""
image.pullPolicySealed Secrets image pull policyIfNotPresent
image.pullSecretsSealed Secrets image pull secrets[]
image.debugEnable Sealed Secrets image debug modefalse
commandOverride default container command (useful when using custom images)[]
commandArgsAdditional args (doesn’t override the default ones)[]
argsOverride default container args (useful when using custom images)[]
revisionHistoryLimitNumber of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)""
createControllerSpecifies whether the Sealed Secrets controller should be createdtrue
secretNameThe name of an existing TLS secret containing the key used to encrypt secrets""
updateStatusSpecifies whether the Sealed Secrets controller should update the status subresourcetrue
skipRecreateSpecifies whether the Sealed Secrets controller should skip recreating removed secretsfalse
keyRenewPeriodSpecifies key renewal period. Default 30 days. e.g keyRenewPeriod: “720h30m”""
rateLimitNumber of allowed sustained request per second for verify endpoint""
rateLimitBurstNumber of requests allowed to exceed the rate limit per second for verify endpoint""
additionalNamespacesList of namespaces used to manage the Sealed Secrets[]
privateKeyAnnotationsMap of annotations to be set on the sealing keypairs{}
privateKeyLabelsMap of labels to be set on the sealing keypairs{}
logInfoStdoutSpecifies whether the Sealed Secrets controller will log info to stdoutfalse
containerPorts.httpController HTTP container port to open8080
containerPorts.metricsController metrics container port8081
resourcesPresetSet container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).nano
resourcesSet container requests and limits for different resources like CPU or memory (essential for production workloads){}
livenessProbe.enabledEnable livenessProbe on Sealed Secret containerstrue
livenessProbe.initialDelaySecondsInitial delay seconds for livenessProbe5
livenessProbe.periodSecondsPeriod seconds for livenessProbe10
livenessProbe.timeoutSecondsTimeout seconds for livenessProbe1
livenessProbe.failureThresholdFailure threshold for livenessProbe3
livenessProbe.successThresholdSuccess threshold for livenessProbe1
readinessProbe.enabledEnable readinessProbe on Sealed Secret containerstrue
readinessProbe.initialDelaySecondsInitial delay seconds for readinessProbe5
readinessProbe.periodSecondsPeriod seconds for readinessProbe10
readinessProbe.timeoutSecondsTimeout seconds for readinessProbe1
readinessProbe.failureThresholdFailure threshold for readinessProbe3
readinessProbe.successThresholdSuccess threshold for readinessProbe1
startupProbe.enabledEnable startupProbe on Sealed Secret containersfalse
startupProbe.initialDelaySecondsInitial delay seconds for startupProbe10
startupProbe.periodSecondsPeriod seconds for startupProbe10
startupProbe.timeoutSecondsTimeout seconds for startupProbe1
startupProbe.failureThresholdFailure threshold for startupProbe15
startupProbe.successThresholdSuccess threshold for startupProbe1
customLivenessProbeCustom livenessProbe that overrides the default one{}
customReadinessProbeCustom readinessProbe that overrides the default one{}
customStartupProbeCustom startupProbe that overrides the default one{}
podSecurityContext.enabledEnabled Sealed Secret pods’ Security Contexttrue
podSecurityContext.fsGroupChangePolicySet filesystem group change policyAlways
podSecurityContext.sysctlsSet kernel settings using the sysctl interface[]
podSecurityContext.supplementalGroupsSet filesystem extra groups[]
podSecurityContext.fsGroupSet Sealed Secret pod’s Security Context fsGroup1001
containerSecurityContext.enabledEnabled Sealed Secret containers’ Security Contexttrue
containerSecurityContext.allowPrivilegeEscalationWhether the Sealed Secret container can escalate privilegesfalse
containerSecurityContext.capabilities.dropWhich privileges to drop in the Sealed Secret container["ALL"]
containerSecurityContext.readOnlyRootFilesystemWhether the Sealed Secret container has a read-only root filesystemtrue
containerSecurityContext.runAsNonRootIndicates that the Sealed Secret container must run as a non-root usertrue
containerSecurityContext.seLinuxOptionsSet SELinux options in container{}
containerSecurityContext.runAsUserSet Sealed Secret containers’ Security Context runAsUser1001
containerSecurityContext.runAsGroupSet Sealed Secret containers’ Security Context runAsGroup1001
containerSecurityContext.seccompProfile.typeSet Sealed Secret container’s Security Context seccompProfile typeRuntimeDefault
automountServiceAccountTokenMount Service Account token in podtrue
hostAliasesSealed Secret pods host aliases[]
podLabelsExtra labels for Sealed Secret pods{}
podAnnotationsAnnotations for Sealed Secret pods{}
podAffinityPresetPod affinity preset. Ignored if affinity is set. Allowed values: soft or hard""
podAntiAffinityPresetPod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hardsoft
nodeAffinityPreset.typeNode affinity preset type. Ignored if affinity is set. Allowed values: soft or hard""
nodeAffinityPreset.keyNode label key to match. Ignored if affinity is set""
nodeAffinityPreset.valuesNode label values to match. Ignored if affinity is set[]
affinityAffinity for Sealed Secret pods assignment{}
nodeSelectorNode labels for Sealed Secret pods assignment{}
tolerationsTolerations for Sealed Secret pods assignment[]
updateStrategy.typeSealed Secret statefulset strategy typeRollingUpdate
priorityClassNameSealed Secret pods’ priorityClassName""
topologySpreadConstraintsTopology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template[]
schedulerNameName of the k8s scheduler (other than default) for Sealed Secret pods""
terminationGracePeriodSecondsSeconds the pod needs to terminate gracefully""
lifecycleHooksfor the Sealed Secret container(s) to automate configuration before or after startup{}
extraEnvVarsArray with extra environment variables to add to Sealed Secret nodes[]
extraEnvVarsCMName of existing ConfigMap containing extra env vars for Sealed Secret nodes""
extraEnvVarsSecretName of existing Secret containing extra env vars for Sealed Secret nodes""
extraVolumesOptionally specify extra list of additional volumes for the Sealed Secret pod(s)[]
extraVolumeMountsOptionally specify extra list of additional volumeMounts for the Sealed Secret container(s)[]
sidecarsAdd additional sidecar containers to the Sealed Secret pod(s){}
initContainersAdd additional init containers to the Sealed Secret pod(s){}

Traffic Exposure Parameters

NameDescriptionValue
service.typeSealed Secret service typeClusterIP
service.ports.httpSealed Secret service HTTP port number8080
service.ports.nameSealed Secret service HTTP port namehttp
service.nodePorts.httpNode port for HTTP""
service.clusterIPSealed Secret service Cluster IP""
service.loadBalancerIPSealed Secret service Load Balancer IP""
service.loadBalancerClassSealed Secret service Load Balancer Class""
service.loadBalancerSourceRangesSealed Secret service Load Balancer sources[]
service.externalTrafficPolicySealed Secret service external traffic policyCluster
service.annotationsAdditional custom annotations for Sealed Secret service{}
service.extraPortsExtra ports to expose in Sealed Secret service (normally used with the sidecars value)[]
service.sessionAffinityControl where client requests go, to the same pod or round-robinNone
service.sessionAffinityConfigAdditional settings for the sessionAffinity{}
ingress.enabledEnable ingress record generation for Sealed Secretfalse
ingress.pathTypeIngress path typeImplementationSpecific
ingress.apiVersionForce Ingress API version (automatically detected if not set)""
ingress.ingressClassNameIngressClass that will be be used to implement the Ingress""
ingress.hostnameDefault host for the ingress recordsealed-secrets.local
ingress.pathDefault path for the ingress record/
ingress.annotationsAdditional custom annotations for the ingress record{}
ingress.tlsEnable TLS configuration for the host defined at ingress.hostname parameterfalse
ingress.selfSignedCreate a TLS secret for this ingress record using self-signed certificates generated by Helmfalse
ingress.extraHostsAn array with additional hostname(s) to be covered with the ingress record[]
ingress.extraPathsAn array with additional arbitrary paths that may need to be added to the ingress under the main host[]
ingress.extraTlsTLS configuration for additional hostname(s) to be covered with this ingress record[]
ingress.secretsCustom TLS certificates as secrets[]
ingress.extraRulesAdditional rules to be covered with this ingress record[]

Other Parameters

NameDescriptionValue
rbac.createSpecifies whether RBAC resources should be createdtrue
rbac.pspEnabledPodSecurityPolicyfalse
rbac.clusterRoleSpecifies whether the Cluster Role resource should be created. If both rbac.clusterRole and rbac.namespacedRoles are set to false no RBAC will be created.true
rbac.clusterRoleNameSpecifies the name for the Cluster Role resource""
rbac.namespacedRolesSpecifies whether the namespaced Roles should be created (in each of the specified additionalNamespaces). If both rbac.clusterRole and rbac.namespacedRoles are set to false no RBAC will be created.false
rbac.namespacedRolesNameSpecifies the name for the namesapced Role resource""
rbac.unsealer.rulesCustom RBAC rules to set for unsealer ClusterRole[]
rbac.keyAdmin.rulesCustom RBAC rules to set for key-admin role[]
rbac.serviceProxier.rulesCustom RBAC rules to set for service-proxier role[]
rbac.labelsExtra labels to be added to RBAC resources{}
serviceAccount.createSpecifies whether a ServiceAccount should be createdtrue
serviceAccount.nameThe name of the ServiceAccount to use.""
serviceAccount.annotationsAdditional Service Account annotations (evaluated as a template){}
serviceAccount.automountServiceAccountTokenAutomount service account token for the server service accountfalse
networkPolicy.enabledSpecifies whether a NetworkPolicy should be createdfalse
networkPolicy.allowExternalDon’t require client label for connectionstrue
pdb.createEnable a Pod Disruption Budget creationtrue
pdb.minAvailableMinimum number/percentage of pods that should remain scheduled""
pdb.maxUnavailableMaximum number/percentage of pods that may be made unavailable. Defaults to 1 if both pdb.minAvailable and pdb.maxUnavailable are empty.""

Metrics parameters

NameDescriptionValue
metrics.enabledSealed Secrets toggle metrics service definitionfalse
metrics.service.typeSealed Secrets metrics service typeClusterIP
metrics.service.ports.metricsSealed Secrets metrics service port8081
metrics.service.externalTrafficPolicySealed Secrets metrics service external traffic policyCluster
metrics.service.extraPortsExtra ports to expose (normally used with the sidecar value)[]
metrics.service.loadBalancerIPSealed Secrets metrics service Load Balancer IP""
metrics.service.loadBalancerSourceRangesSealed Secrets metrics service Load Balancer sources[]
metrics.service.annotationsAdditional custom annotations for Sealed Secrets metrics service{}
metrics.serviceMonitor.enabledSpecify if a ServiceMonitor will be deployed for Prometheus Operatorfalse
metrics.serviceMonitor.namespaceNamespace in which Prometheus is running""
metrics.serviceMonitor.port.numberPort number for the serviceMonitor8081
metrics.serviceMonitor.port.namePort name for the serviceMonitormetrics
metrics.serviceMonitor.labelsExtra labels for the ServiceMonitor{}
metrics.serviceMonitor.annotationsAdditional ServiceMonitor annotations (evaluated as a template){}
metrics.serviceMonitor.jobLabelThe name of the label on the target service to use as the job name in Prometheus""
metrics.serviceMonitor.honorLabelshonorLabels chooses the metric’s labels on collisions with target labelsfalse
metrics.serviceMonitor.intervalInterval at which metrics should be scraped.""
metrics.serviceMonitor.scrapeTimeoutTimeout after which the scrape is ended""
metrics.serviceMonitor.metricRelabelingsSpecify additional relabeling of metrics[]
metrics.serviceMonitor.relabelingsSpecify general relabeling[]
metrics.serviceMonitor.selectorPrometheus instance selector labels{}

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

helm install my-release \
  --set livenessProbe.successThreshold=5 \
    oci://REGISTRY_NAME/REPOSITORY_NAME/sealed-secrets

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts.

The above command sets the livenessProbe.successThreshold to 5.

Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,

helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/sealed-secrets

Note: You need to substitute the placeholders REGISTRY_NAME and REPOSITORY_NAME with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use REGISTRY_NAME=registry-1.docker.io and REPOSITORY_NAME=bitnamicharts. Tip: You can use the default values.yaml

Troubleshooting

Find more information about how to deal with common errors related to Bitnami’s Helm charts in this troubleshooting guide.

Upgrading

To 2.5.0

This version introduces image verification for security purposes. To disable it, set global.security.allowInsecureImages to true. More details at GitHub issue.

To 2.0.0

This major bump changes the following security defaults:

  • resourcesPreset is changed from none to the minimum size working in our test suites (NOTE: resourcesPreset is not meant for production usage, but resources adapted to your use case).
  • global.compatibility.openshift.adaptSecurityContext is changed from disabled to auto.

This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.

To 1.0.0

This major release renames several values in this chart and adds missing features, in order to be aligned with the rest of the assets in the Bitnami charts repository.

  • service.port has been renamed as service.ports.http.
  • service.nodePorthas been renamed as service.nodePorts.http
  • containerPorthas been renamed as containerPorts.http
  • certManagerhas been removed. Please use ingress.annotations instead

License

Copyright © 2025 Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.