• Access to a Kubernetes cluster
• The ability to forward a port on that Kubernetes cluster to access endpoints on your browser

helm repo add argo https://argoproj.github.io/argo-helm
helm install my-argo-cd argo/argo-cd

helm repo add bitnami-labs https://bitnami-labs.github.io/sealed-secrets/
helm install sealed-secrets-controller bitnami-labs/sealed-secrets

# If you are not using MacOS, you can go to the Sealed Secrets repository to download the kubeseal binary. Otherwise, use the brew install command listed here.
# https://github.com/bitnami-labs/sealed-secrets
brew install kubeseal

Ensure you checkout your own feature branch in this repository git checkout -b <feature-branch>

Switch to the charts/nginx/examples directory.

cd charts/nginx/examples

Copy and paste the existing mysecret.yaml and rename to secret.yaml.

cp mysecret.yaml secret.yaml

Use the base64 CLI to encode your secret value.

echo -n "my-new-secret" | base64

Copy that encoded string and replace the value.

data:
  secret: <base64 string goes here>

Run the kubeseal command to generate your new encrypted secret file that is safe to store in version control.

kubeseal --controller-namespace default \
  --format yaml -f secret.yaml > \
  ../templates/mysealedsecret.yaml

Note: You will not check the secret.yaml into Git. This is only an example, but it represents the unencrypted secret file that we need to keep private. Once you have run the kubeseal command successfully you are safe to store your plaintext secret file somewhere or, in our case for this example, delete the file.

rm secret.yaml

Switch back to the top level of this repository.

cd ../../../

Expose the ArgoCD Service to connect to the ArgoCD Web UI

kubectl port-forward service/my-argo-cd-argocd-server -n default 8080:443

Get the admin password for the ArgoCD login

kubectl get secrets argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d

Access the ArgoCD UI at https://localhost:8080/ and login as the admin user

username: admin
password: <password>

Update the targetRevision key in the nginx-application.yaml to reconcile against your branch

targetRevision: <yourFeatureBranch>

Push ONLY the nginx-application.yaml & your mysealedsecret.yaml to your remote repository

git add nginx-application.yaml
git add charts/nginx/templates/mysealedsecret.yaml
git commit -m "Created a SealedSecret & reconciling against my feature branch"
git push

Run this command and Argo CD will begin reconciling your application.

$ kubectl apply -f nginx-application.yaml

Check on the status of the reconciliation by running the following command:

$ kubectl get applications.argoproj.io

NAME    SYNC STATUS   HEALTH STATUS
nginx   Synced        Healthy

If everything has been configured correctly, then you will see your secret has been deployed to the cluster.

kubectl get secrets my-secret
kubectl get secret/my-secret --template={{.data.secret}} | base64 -d   

kubectl delete -f nginx-application.yaml
helm uninstall my-argo-cd 
helm uninstall sealed-secrets-controller

If you want to manage your SealedSecrets without direct access to your cluster you'll need to grab the public key that your sealed-secrets installation is using.

Run this command while you do have access to the cluster, then can use the public key with the kubeseal CLI

kubeseal --controller-name=sealed-secrets-controller --controller-namespace=default --fetch-cert > public-key-cert.pem

Now you can run the following command to encrypt your secret without direct access to the cluster.

kubeseal --format=yaml --cert=public-key-cert.pem < secret.yaml > sealed-secret.yaml

If you've set up ArgoCD to reconcile from Git, you can push the new sealed-secret.yaml file to Git to update the value on your cluster.