Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin

Headlamp plugin for managing Bitnami Sealed Secrets with client-side encryption
https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin

bitnami cncf dashboard encryption headlamp headlamp-plugin k8s kubernetes platform-engineering sealed-secrets

Last synced: about 2 months ago
JSON representation

Headlamp plugin for managing Bitnami Sealed Secrets with client-side encryption

Awesome Lists containing this project

README 

          
# Headlamp Sealed Secrets Plugin



[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/package/headlamp/sealed-secrets/sealed-secrets)](https://artifacthub.io/packages/headlamp/sealed-secrets/sealed-secrets)

[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)

[![GitHub release](https://img.shields.io/github/v/release/privilegedescalation/headlamp-sealed-secrets-plugin)](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases)

[![GitHub issues](https://img.shields.io/github/issues/privilegedescalation/headlamp-sealed-secrets-plugin)](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/issues)

[![Test Coverage](https://img.shields.io/badge/coverage-92%25-brightgreen)](docs/development/testing.md)

[![TypeScript](https://img.shields.io/badge/TypeScript-5.6.2-blue)](https://www.typescriptlang.org/)



A comprehensive [Headlamp](https://headlamp.dev) plugin for managing [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) with **client-side encryption** and **RBAC-aware UI**.



## Features



- Client-side encryption using RSA-OAEP + AES-256-GCM

- List, view, create, and manage SealedSecrets

- View and download sealing key certificates

- Decrypt sealed values (requires RBAC permissions)

- RBAC-aware UI adapts to user permissions

- Support for all three scoping modes (strict, namespace-wide, cluster-wide)

- Type-safe implementation with branded types

- 92% test coverage



## Quick Start



### Installation



Browse the Headlamp Plugin Manager (Settings → Plugins → Catalog) and install **sealed-secrets** directly.



### First Secret



```bash

# 1. Install Sealed Secrets controller (if not already installed)

kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml



# 2. In Headlamp UI:

#    - Navigate to "Sealed Secrets" in sidebar

#    - Click "Create Sealed Secret"

#    - Fill in name, namespace, and secret data

#    - Click "Create"



# 3. Verify the secret was created

kubectl get sealedsecret -A

kubectl get secret  -n 

```



## Documentation



### Getting Started

- **[Installation Guide](docs/getting-started/installation.md)** - Multiple installation methods (macOS, Linux, Windows)

- **[Quick Start Tutorial](docs/getting-started/quick-start.md)** - Create your first sealed secret



### User Guides

- **[Scopes Explained](docs/user-guide/scopes-explained.md)** - Strict vs namespace-wide vs cluster-wide

- **[RBAC Permissions](docs/user-guide/rbac-permissions.md)** - Configure access control



### Tutorials

- **[CI/CD Integration](docs/tutorials/ci-cd-integration.md)** - GitHub Actions, GitLab CI, Jenkins



### Reference

- **[Troubleshooting](docs/troubleshooting/)** - Common issues and solutions

- **[API Reference](docs/api-reference/generated/)** - Auto-generated TypeScript docs

- **[Architecture ADRs](docs/architecture/adr/)** - Design decisions and rationale

- **[Development Guide](docs/development/workflow.md)** - Contributing and testing



## Prerequisites



- **Headlamp** v0.13.0 or later

- **Sealed Secrets controller** in your cluster:

  ```bash

  kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml

  ```

- **kubectl** access with appropriate RBAC permissions



## Architecture



```

src/

├── index.tsx              # Plugin entry point

├── types.ts               # Branded types, Result type, interfaces

├── hooks/                 # Custom React hooks (controller health, RBAC, encryption)

├── lib/                   # Utility library (CRD, crypto, controller, RBAC, retry, validators)

└── components/            # React components (list, detail, dialogs, settings)

```



The plugin uses custom hooks and a utility library instead of a single data context provider. Client-side encryption is handled entirely in the browser via `node-forge` (RSA-OAEP + AES-256-GCM).



### System Diagram



```

┌─────────────┐

│   Headlamp  │

│   Browser   │

└──────┬──────┘


       ├─ Client-Side Encryption (node-forge)

       │  └─ RSA-OAEP + AES-256-GCM


       ├─ Headlamp Plugin

       │  ├─ React Components (WCAG 2.1 AA)

       │  ├─ Type-Safe API (Result types)

       │  ├─ RBAC Integration

       │  └─ Health Monitoring



┌──────────────────┐

│  Kubernetes API  │

└─────────┬────────┘



┌──────────────────┐

│ Sealed Secrets   │

│   Controller     │

└──────────────────┘

```



## Security



### How It Works



The plugin encrypts secrets client-side before sending them to Kubernetes:



1. User enters plaintext values in the browser

2. Plugin fetches controller's public certificate

3. Values are encrypted using RSA-OAEP + AES-256-GCM

4. Only encrypted data is sent to Kubernetes

5. Controller decrypts and creates the Secret



Plaintext values never leave your browser.



### Security Features



| Feature | Implementation | Purpose |

|---------|----------------|---------|

| **Client-Side Encryption** | RSA-OAEP + AES-256-GCM | Plaintext never transmitted |

| **Branded Types** | TypeScript compile-time checks | Prevent mixing plaintext/encrypted |

| **Certificate Validation** | PEM parsing + expiry checks | Ensure valid encryption keys |

| **RBAC Integration** | SelfSubjectAccessReview API | Permission-aware UI |

| **Input Validation** | Kubernetes DNS-1123 format | Prevent invalid resources |

| **Retry Logic** | Exponential backoff + jitter | Resilient against transient failures |



### Threat Model



| Threat | Mitigation | Status |

|--------|-----------|--------|

| Man-in-the-middle | Client-side encryption | ✅ Protected |

| Network sniffing | No plaintext on network | ✅ Protected |

| Compromised proxy | Only sees encrypted data | ✅ Protected |

| Browser XSS | Headlamp CSP policies | ⚠️ Standard web security |

| Supply chain | Package locks, dependabot | ⚠️ Ongoing monitoring |



See: [ADR 003: Client-Side Encryption](docs/architecture/adr/003-client-side-crypto.md)



## Technical Details



### Code Quality Metrics



| Metric | Value | Notes |

|--------|-------|-------|

| **Test Coverage** | 92% | Unit + integration tests |

| **TypeScript** | 5.6.2 strict mode | Zero type errors |

| **Dependencies** | node-forge (crypto) | Minimal, audited dependencies |



### Technology Stack



- **Language**: TypeScript 5.6.2 (strict mode)

- **UI Framework**: React 18 with hooks

- **Crypto Library**: node-forge (RSA-OAEP + AES-256-GCM)

- **Testing**: Vitest + React Testing Library

- **Linting**: ESLint + Prettier

- **Build Tool**: Headlamp plugin SDK



### Architecture



- **Result Types**: Type-safe error handling ([ADR 001](docs/architecture/adr/001-result-types.md))

- **Branded Types**: Compile-time type safety ([ADR 002](docs/architecture/adr/002-branded-types.md))

- **Custom Hooks**: Separated business logic ([ADR 005](docs/architecture/adr/005-react-hooks-extraction.md))

- **RBAC Integration**: Permission-aware UI ([ADR 004](docs/architecture/adr/004-rbac-integration.md))



See: [Architecture Decision Records](docs/architecture/adr/) for detailed design rationale



## Contributing



We welcome contributions.



### Quick Start for Contributors



```bash

# 1. Fork and clone

git clone https://github.com/YOUR_USERNAME/headlamp-sealed-secrets-plugin

cd headlamp-sealed-secrets-plugin



# 2. Install dependencies

npm install



# 3. Start development (hot reload)

npm start



# 4. Run tests

npm test



# 5. Lint and type-check

npm run lint

npm run tsc

```



### Contribution Areas



| Area | What We Need | Good First Issue |

|------|-------------|------------------|

| **Documentation** | Tutorials, guides, examples | ✅ Yes |

| **Testing** | More test coverage, edge cases | ✅ Yes |

| **Features** | Bulk operations, secret templates | ⚠️ Discuss first |

| **Bug Fixes** | See [open issues](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/issues) | ✅ Yes |

| **Accessibility** | ARIA improvements, keyboard nav | ✅ Yes |

| **Translations** | i18n support (future) | 📅 Planned |



### Before Submitting



- [ ] Read [Development Guide](docs/development/workflow.md)

- [ ] Tests pass (`npm test`)

- [ ] Lint passes (`npm run lint`)

- [ ] TypeScript compiles (`npm run tsc`)

- [ ] Documentation updated (if applicable)

- [ ] Changelog updated (if user-facing change)



See: [Development Workflow](docs/development/workflow.md) | [Testing Guide](docs/development/testing.md)



## Changelog



See [CHANGELOG.md](CHANGELOG.md) for version history.



See [CHANGELOG.md](CHANGELOG.md) for details on each release.



## Issues & Support



### Need Help?



1. ** Check Documentation First**

   - [Troubleshooting Guide](docs/troubleshooting/) - Common issues and solutions

   - [User Guide](docs/user-guide/) - Feature documentation

   - [API Reference](docs/api-reference/generated/) - TypeScript API docs



2. **🔍 Search Existing Issues**

   - [Open Issues](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/issues)

   - [Closed Issues](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/issues?q=is%3Aissue+is%3Aclosed)



3. ** Ask the Community**

   - [GitHub Discussions](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/discussions)



4. ** Report a Bug**

   - [Create New Issue](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/issues/new)

   - Include: Plugin version, Headlamp version, error messages, steps to reproduce



### Common Issues



| Issue | Quick Fix | Guide |

|-------|-----------|-------|

| Plugin not loading | Check installation path | [Installation](docs/getting-started/installation.md) |

| Controller not found | Install controller | [Troubleshooting](docs/troubleshooting/) |

| Permission denied | Configure RBAC | [RBAC Permissions](docs/user-guide/rbac-permissions.md) |

| Encryption fails | Check certificate | [Troubleshooting](docs/troubleshooting/) |



## License



Apache License 2.0 - see [LICENSE](LICENSE) for details.



## Credits



Built with:

- [Headlamp](https://headlamp.dev) - Kubernetes UI

- [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) - Encryption controller

- [node-forge](https://github.com/digitalbazaar/forge) - Cryptography library



## Links



### Project Resources

- **[Releases](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases)** - Download plugin

-  **[Documentation](docs/README.md)** - Complete docs

-  **[Issues](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/issues)** - Bug reports

-  **[Discussions](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/discussions)** - Q&A

-  **[Changelog](CHANGELOG.md)** - Version history



### External Resources

- **[Headlamp](https://headlamp.dev)** - Kubernetes UI framework

- **[Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)** - Encryption controller

- **[kubeseal CLI](https://github.com/bitnami-labs/sealed-secrets#installation)** - Command-line tool

- **[Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)** - Access control



# Test runner