{"id":44473668,"url":"https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin","last_synced_at":"2026-04-15T06:01:06.822Z","repository":{"id":337945447,"uuid":"1155844951","full_name":"privilegedescalation/headlamp-sealed-secrets-plugin","owner":"privilegedescalation","description":"Headlamp plugin for managing Bitnami Sealed Secrets with client-side encryption","archived":false,"fork":false,"pushed_at":"2026-04-15T02:22:43.000Z","size":2148,"stargazers_count":0,"open_issues_count":1,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-15T02:25:51.245Z","etag":null,"topics":["bitnami","cncf","dashboard","encryption","headlamp","headlamp-plugin","k8s","kubernetes","platform-engineering","sealed-secrets"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/privilegedescalation.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["privilegedescalation"]}},"created_at":"2026-02-12T01:00:02.000Z","updated_at":"2026-04-15T02:22:46.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin","commit_stats":null,"previous_names":["cpfarhood/headlamp-sealed-secrets-plugin","privilegedescalation/headlamp-sealed-secrets-plugin"],"tags_count":26,"template":false,"template_full_name":null,"purl":"pkg:github/privilegedescalation/headlamp-sealed-secrets-plugin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/privilegedescalation%2Fheadlamp-sealed-secrets-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/privilegedescalation%2Fheadlamp-sealed-secrets-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/privilegedescalation%2Fheadlamp-sealed-secrets-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/privilegedescalation%2Fheadlamp-sealed-secrets-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/privilegedescalation","download_url":"https://codeload.github.com/privilegedescalation/headlamp-sealed-secrets-plugin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/privilegedescalation%2Fheadlamp-sealed-secrets-plugin/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31828532,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T18:05:02.291Z","status":"online","status_checked_at":"2026-04-15T02:00:06.175Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bitnami","cncf","dashboard","encryption","headlamp","headlamp-plugin","k8s","kubernetes","platform-engineering","sealed-secrets"],"created_at":"2026-02-12T22:04:48.194Z","updated_at":"2026-04-15T06:01:06.815Z","avatar_url":"https://github.com/privilegedescalation.png","language":"TypeScript","funding_links":["https://github.com/sponsors/privilegedescalation"],"categories":[],"sub_categories":[],"readme":"# Headlamp Sealed Secrets Plugin\n\n[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/package/headlamp/sealed-secrets/sealed-secrets)](https://artifacthub.io/packages/headlamp/sealed-secrets/sealed-secrets)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n[![GitHub release](https://img.shields.io/github/v/release/privilegedescalation/headlamp-sealed-secrets-plugin)](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases)\n[![GitHub issues](https://img.shields.io/github/issues/privilegedescalation/headlamp-sealed-secrets-plugin)](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/issues)\n[![Test Coverage](https://img.shields.io/badge/coverage-92%25-brightgreen)](docs/development/testing.md)\n[![TypeScript](https://img.shields.io/badge/TypeScript-5.6.2-blue)](https://www.typescriptlang.org/)\n\nA comprehensive [Headlamp](https://headlamp.dev) plugin for managing [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) with **client-side encryption** and **RBAC-aware UI**.\n\n## Features\n\n- Client-side encryption using RSA-OAEP + AES-256-GCM\n- List, view, create, and manage SealedSecrets\n- View and download sealing key certificates\n- Decrypt sealed values (requires RBAC permissions)\n- RBAC-aware UI adapts to user permissions\n- Support for all three scoping modes (strict, namespace-wide, cluster-wide)\n- Type-safe implementation with branded types\n- 92% test coverage\n\n\n## Quick Start\n\n### Installation\n\nBrowse the Headlamp Plugin Manager (Settings → Plugins → Catalog) and install **sealed-secrets** directly.\n\n### First Secret\n\n```bash\n# 1. Install Sealed Secrets controller (if not already installed)\nkubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml\n\n# 2. In Headlamp UI:\n#    - Navigate to \"Sealed Secrets\" in sidebar\n#    - Click \"Create Sealed Secret\"\n#    - Fill in name, namespace, and secret data\n#    - Click \"Create\"\n\n# 3. Verify the secret was created\nkubectl get sealedsecret -A\nkubectl get secret \u003cyour-secret-name\u003e -n \u003cnamespace\u003e\n```\n\n\n## Documentation\n\n### Getting Started\n- **[Installation Guide](docs/getting-started/installation.md)** - Multiple installation methods (macOS, Linux, Windows)\n- **[Quick Start Tutorial](docs/getting-started/quick-start.md)** - Create your first sealed secret\n\n### User Guides\n- **[Scopes Explained](docs/user-guide/scopes-explained.md)** - Strict vs namespace-wide vs cluster-wide\n- **[RBAC Permissions](docs/user-guide/rbac-permissions.md)** - Configure access control\n\n### Tutorials\n- **[CI/CD Integration](docs/tutorials/ci-cd-integration.md)** - GitHub Actions, GitLab CI, Jenkins\n\n### Reference\n- **[Troubleshooting](docs/troubleshooting/)** - Common issues and solutions\n- **[API Reference](docs/api-reference/generated/)** - Auto-generated TypeScript docs\n- **[Architecture ADRs](docs/architecture/adr/)** - Design decisions and rationale\n- **[Development Guide](docs/development/workflow.md)** - Contributing and testing\n\n\n## Prerequisites\n\n- **Headlamp** v0.13.0 or later\n- **Sealed Secrets controller** in your cluster:\n  ```bash\n  kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml\n  ```\n- **kubectl** access with appropriate RBAC permissions\n\n## Architecture\n\n```\nsrc/\n├── index.tsx              # Plugin entry point\n├── types.ts               # Branded types, Result type, interfaces\n├── hooks/                 # Custom React hooks (controller health, RBAC, encryption)\n├── lib/                   # Utility library (CRD, crypto, controller, RBAC, retry, validators)\n└── components/            # React components (list, detail, dialogs, settings)\n```\n\nThe plugin uses custom hooks and a utility library instead of a single data context provider. Client-side encryption is handled entirely in the browser via `node-forge` (RSA-OAEP + AES-256-GCM).\n\n### System Diagram\n\n```\n┌─────────────┐\n│   Headlamp  │\n│   Browser   │\n└──────┬──────┘\n       │\n       ├─ Client-Side Encryption (node-forge)\n       │  └─ RSA-OAEP + AES-256-GCM\n       │\n       ├─ Headlamp Plugin\n       │  ├─ React Components (WCAG 2.1 AA)\n       │  ├─ Type-Safe API (Result types)\n       │  ├─ RBAC Integration\n       │  └─ Health Monitoring\n       │\n       ▼\n┌──────────────────┐\n│  Kubernetes API  │\n└─────────┬────────┘\n          │\n          ▼\n┌──────────────────┐\n│ Sealed Secrets   │\n│   Controller     │\n└──────────────────┘\n```\n\n## Security\n\n\n### How It Works\n\nThe plugin encrypts secrets client-side before sending them to Kubernetes:\n\n1. User enters plaintext values in the browser\n2. Plugin fetches controller's public certificate\n3. Values are encrypted using RSA-OAEP + AES-256-GCM\n4. Only encrypted data is sent to Kubernetes\n5. Controller decrypts and creates the Secret\n\nPlaintext values never leave your browser.\n\n\n### Security Features\n\n| Feature | Implementation | Purpose |\n|---------|----------------|---------|\n| **Client-Side Encryption** | RSA-OAEP + AES-256-GCM | Plaintext never transmitted |\n| **Branded Types** | TypeScript compile-time checks | Prevent mixing plaintext/encrypted |\n| **Certificate Validation** | PEM parsing + expiry checks | Ensure valid encryption keys |\n| **RBAC Integration** | SelfSubjectAccessReview API | Permission-aware UI |\n| **Input Validation** | Kubernetes DNS-1123 format | Prevent invalid resources |\n| **Retry Logic** | Exponential backoff + jitter | Resilient against transient failures |\n\n### Threat Model\n\n| Threat | Mitigation | Status |\n|--------|-----------|--------|\n| Man-in-the-middle | Client-side encryption | ✅ Protected |\n| Network sniffing | No plaintext on network | ✅ Protected |\n| Compromised proxy | Only sees encrypted data | ✅ Protected |\n| Browser XSS | Headlamp CSP policies | ⚠️ Standard web security |\n| Supply chain | Package locks, dependabot | ⚠️ Ongoing monitoring |\n\nSee: [ADR 003: Client-Side Encryption](docs/architecture/adr/003-client-side-crypto.md)\n\n## Technical Details\n\n### Code Quality Metrics\n\n| Metric | Value | Notes |\n|--------|-------|-------|\n| **Test Coverage** | 92% | Unit + integration tests |\n| **TypeScript** | 5.6.2 strict mode | Zero type errors |\n| **Dependencies** | node-forge (crypto) | Minimal, audited dependencies |\n\n### Technology Stack\n\n- **Language**: TypeScript 5.6.2 (strict mode)\n- **UI Framework**: React 18 with hooks\n- **Crypto Library**: node-forge (RSA-OAEP + AES-256-GCM)\n- **Testing**: Vitest + React Testing Library\n- **Linting**: ESLint + Prettier\n- **Build Tool**: Headlamp plugin SDK\n\n### Architecture\n\n- **Result Types**: Type-safe error handling ([ADR 001](docs/architecture/adr/001-result-types.md))\n- **Branded Types**: Compile-time type safety ([ADR 002](docs/architecture/adr/002-branded-types.md))\n- **Custom Hooks**: Separated business logic ([ADR 005](docs/architecture/adr/005-react-hooks-extraction.md))\n- **RBAC Integration**: Permission-aware UI ([ADR 004](docs/architecture/adr/004-rbac-integration.md))\n\nSee: [Architecture Decision Records](docs/architecture/adr/) for detailed design rationale\n\n## Contributing\n\nWe welcome contributions.\n\n### Quick Start for Contributors\n\n```bash\n# 1. Fork and clone\ngit clone https://github.com/YOUR_USERNAME/headlamp-sealed-secrets-plugin\ncd headlamp-sealed-secrets-plugin\n\n# 2. Install dependencies\nnpm install\n\n# 3. Start development (hot reload)\nnpm start\n\n# 4. Run tests\nnpm test\n\n# 5. Lint and type-check\nnpm run lint\nnpm run tsc\n```\n\n### Contribution Areas\n\n| Area | What We Need | Good First Issue |\n|------|-------------|------------------|\n| **Documentation** | Tutorials, guides, examples | ✅ Yes |\n| **Testing** | More test coverage, edge cases | ✅ Yes |\n| **Features** | Bulk operations, secret templates | ⚠️ Discuss first |\n| **Bug Fixes** | See [open issues](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/issues) | ✅ Yes |\n| **Accessibility** | ARIA improvements, keyboard nav | ✅ Yes |\n| **Translations** | i18n support (future) | 📅 Planned |\n\n### Before Submitting\n\n- [ ] Read [Development Guide](docs/development/workflow.md)\n- [ ] Tests pass (`npm test`)\n- [ ] Lint passes (`npm run lint`)\n- [ ] TypeScript compiles (`npm run tsc`)\n- [ ] Documentation updated (if applicable)\n- [ ] Changelog updated (if user-facing change)\n\nSee: [Development Workflow](docs/development/workflow.md) | [Testing Guide](docs/development/testing.md)\n\n## Changelog\n\nSee [CHANGELOG.md](CHANGELOG.md) for version history.\n\nSee [CHANGELOG.md](CHANGELOG.md) for details on each release.\n\n## Issues \u0026 Support\n\n### Need Help?\n\n1. ** Check Documentation First**\n   - [Troubleshooting Guide](docs/troubleshooting/) - Common issues and solutions\n   - [User Guide](docs/user-guide/) - Feature documentation\n   - [API Reference](docs/api-reference/generated/) - TypeScript API docs\n\n2. **🔍 Search Existing Issues**\n   - [Open Issues](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/issues)\n   - [Closed Issues](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/issues?q=is%3Aissue+is%3Aclosed)\n\n3. ** Ask the Community**\n   - [GitHub Discussions](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/discussions)\n\n4. ** Report a Bug**\n   - [Create New Issue](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/issues/new)\n   - Include: Plugin version, Headlamp version, error messages, steps to reproduce\n\n### Common Issues\n\n| Issue | Quick Fix | Guide |\n|-------|-----------|-------|\n| Plugin not loading | Check installation path | [Installation](docs/getting-started/installation.md) |\n| Controller not found | Install controller | [Troubleshooting](docs/troubleshooting/) |\n| Permission denied | Configure RBAC | [RBAC Permissions](docs/user-guide/rbac-permissions.md) |\n| Encryption fails | Check certificate | [Troubleshooting](docs/troubleshooting/) |\n\n## License\n\nApache License 2.0 - see [LICENSE](LICENSE) for details.\n\n## Credits\n\nBuilt with:\n- [Headlamp](https://headlamp.dev) - Kubernetes UI\n- [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) - Encryption controller\n- [node-forge](https://github.com/digitalbazaar/forge) - Cryptography library\n\n## Links\n\n### Project Resources\n- **[Releases](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases)** - Download plugin\n-  **[Documentation](docs/README.md)** - Complete docs\n-  **[Issues](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/issues)** - Bug reports\n-  **[Discussions](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/discussions)** - Q\u0026A\n-  **[Changelog](CHANGELOG.md)** - Version history\n\n### External Resources\n- **[Headlamp](https://headlamp.dev)** - Kubernetes UI framework\n- **[Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)** - Encryption controller\n- **[kubeseal CLI](https://github.com/bitnami-labs/sealed-secrets#installation)** - Command-line tool\n- **[Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)** - Access control\n\n\n\n\n# Test runner\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprivilegedescalation%2Fheadlamp-sealed-secrets-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprivilegedescalation%2Fheadlamp-sealed-secrets-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprivilegedescalation%2Fheadlamp-sealed-secrets-plugin/lists"}