kubeseal

kubeseal is the client CLI for Sealed Secrets, turning Kubernetes Secret manifests or raw secret values into SealedSecret resources that only the target cluster's controller can decrypt. It is mainly a GitOps packaging tool for getting secret material into git safely, not a general secret manager.

• Encrypt Secret manifests into SealedSecret JSON or YAML that can be committed to git and later applied to a cluster without exposing the plaintext secret.
• Fetch the controller certificate, seal individual raw values, and merge new encrypted keys into an existing SealedSecret without needing the other cleartext values again.
• Validate sealed secrets against the cluster, re-encrypt them to the latest sealing key, and recovery-unseal them from backed-up private keys during disaster recovery.

• The CLI is non-interactive by default, works well with stdin and stdout, and exposes explicit flags that fit cleanly into kubectl, CI, and GitOps pipelines.
• Default JSON output and optional YAML output make the generated SealedSecret resources easy to pass to follow-up shell steps, even though the tool is more about manifest generation than rich inspection.
• Best used as a narrow action primitive inside skills that prepare manifests, rotate sealing keys, or verify sealed secrets before commit or deploy.

• Most workflows depend on access to the Sealed Secrets controller or a previously fetched certificate, and custom controller names or namespaces need matching flags or environment variables.
• Name, namespace, and sealing scope are part of the encryption model, so automation has to keep those values consistent, especially in raw mode.