A kubeseal companion CLI - decrypt, export, and encrypt Kubernetes Secrets with automatic binary management
Project description
kseal
A kubeseal companion CLI for viewing, exporting, and encrypting Kubernetes Secrets.
Installation
pipx install kseal
Requirements
- Python 3.12+
- Kubernetes cluster access
- Sealed Secrets controller installed in cluster
Quick Start
# View a decrypted secret
kseal cat secrets/app.yaml
# Export all secrets to files
kseal export --all
# Encrypt a plaintext secret
kseal encrypt secret.yaml -o sealed.yaml
Commands
kseal cat
View decrypted secret contents with syntax highlighting.
kseal cat path/to/sealed-secret.yaml
kseal cat sealed.yaml --no-color
kseal export
Export decrypted secrets to files.
# Single file
kseal export sealed.yaml
kseal export sealed.yaml -o output.yaml
# All local SealedSecrets
kseal export --all
# All secrets from cluster
kseal export --all --from-cluster
Default output: .unsealed/<original-path> or .unsealed/<namespace>/<name>.yaml
kseal encrypt
Encrypt plaintext secrets using kubeseal.
# To stdout
kseal encrypt secret.yaml
# To file
kseal encrypt secret.yaml -o sealed.yaml
# Replace original
kseal encrypt secret.yaml --replace
kseal init
Create a configuration file with the latest kubeseal version pinned.
kseal init
kseal init --force # Overwrite existing
kseal version
Manage kubeseal binary versions.
# List downloaded versions
kseal version list
# Download the latest version
kseal version update
# Set global default version
kseal version set 0.27.0
# Clear default (use highest downloaded)
kseal version set --clear
Configuration
Configuration priority: Environment variables > .kseal-config.yaml > Global settings
| Option | Environment Variable | Default |
|---|---|---|
version |
KSEAL_VERSION |
Global default or highest downloaded |
controller_name |
KSEAL_CONTROLLER_NAME |
sealed-secrets |
controller_namespace |
KSEAL_CONTROLLER_NAMESPACE |
sealed-secrets |
unsealed_dir |
KSEAL_UNSEALED_DIR |
.unsealed |
Example config file
# .kseal-config.yaml
version: "0.27.0"
controller_name: sealed-secrets
controller_namespace: kube-system
unsealed_dir: .secrets
Version Management
kseal automatically manages kubeseal binary versions:
- Binaries are stored at
~/.local/share/kseal/kubeseal-<version> - Each project can pin a specific version in
.kseal-config.yaml - Global settings are stored in
~/.local/share/kseal/settings.yaml
Version resolution order:
- Project config version (
.kseal-config.yaml) - Global default version (
kseal version set) - Highest downloaded version
- Fetch latest from GitHub (first run only)
Security
- Add
.unsealed/to your.gitignore - Never commit plaintext secrets to version control
- Requires cluster access to decrypt secrets
Contributing
git clone https://github.com/eznix86/kseal.git
cd kseal
uv sync
# Run tests
make test
# Run linter
make lint
License
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file kseal-1.0.0.tar.gz.
File metadata
- Download URL: kseal-1.0.0.tar.gz
- Upload date:
- Size: 51.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.17 {"installer":{"name":"uv","version":"0.9.17","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
735e23d543da90ab25d9761d1d73963e8146ce33d6f3481b7210fda8270e8993
|
|
| MD5 |
a6342ee6333caa5d941493dd16f3e377
|
|
| BLAKE2b-256 |
e3f3b559aa55a5bafe89a5c3467954d64e9b35adced34dd7bef60a52a77c2a3a
|
File details
Details for the file kseal-1.0.0-py3-none-any.whl.
File metadata
- Download URL: kseal-1.0.0-py3-none-any.whl
- Upload date:
- Size: 16.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.17 {"installer":{"name":"uv","version":"0.9.17","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
503a1dcc9c605c5352a1c54e684bea6b522f9d9f62a0e2f022f0514051d91019
|
|
| MD5 |
1f6d84ccb52a617b318be0d3dddb1449
|
|
| BLAKE2b-256 |
6977e93bb8cb30e9011dd7ffde5158f24bac5c79601ca28e3eaeb96ac34e468e
|
