kryptos — Secret-Sealing CLI/TUI
A from-scratch Go tool that turns declarative YAML secret configs into Kubernetes SealedSecrets. A cobra CLI plus a charm/huh TUI, with a two-pass derive engine, value generators, and a JSON schema for editor autocomplete — built to gate CI without cluster access.
View Code on GitHubSeal pipeline
kryptos started as a way to stop hand-running kubeseal and grew into a repo-agnostic tool: a small TOML file points it at any GitOps repo’s config tree and output layout. It reads a declarative config describing which secrets exist and how to produce them, resolves the values, seals them, and writes SealedSecrets ready to commit.
Configs declare intent, not material
Each application gets a YAML config listing its secrets, their keys, and how
each value comes to be — a generator keyword (secure, strong, apikey,
passphrase), a derived field, or an externally supplied value. A published
JSON schema gives editors autocomplete and validation while writing them. No
config ever contains a credential.
Deterministic value resolution
Non-interactive runs resolve every value through an explicit precedence chain:
command-line --set beats a values file, which beats an environment variable,
which beats the generator, which beats the default. Derived fields — htpasswd
entries, JWT/HMAC material, self-signed TLS, SSH keypairs, rendered Go
templates — evaluate in two passes, so a template can reference another
derived value without fragile ordering rules.
Built to gate CI
validate checks every config against the schema, audit detects drift
between configs and the sealed files in the GitOps tree, and diff previews
exactly which keys a reseal would change — all offline, with no cluster
access. That makes secret hygiene a pipeline gate instead of a convention.
The tool itself releases through goreleaser on auto-cut SemVer tags, with a
Makefile installer that fetches and checksum-verifies the right binary.
Key Technical Highlights
- Full-lifecycle CLI + TUI: An interactive TUI plus seal, rotate, validate, audit, diff, layout, and dry-run — covering the full secret lifecycle from generation to drift detection.
- Two-pass derive engine: Eight derive types (htpasswd, cluster_secret, render, jwt/hmac, tls, ssh_keypair, file) resolve in two passes so a derived value can consume another derived value in a template.
- Generators, not literals: Value keywords (secure, strong, apikey, passphrase) mean secrets are generated, never pasted — the config declares intent, the tool produces the material.
- CI-gating without a cluster: validate, diff, and audit run against the config and the sealed output offline, so a pipeline can catch secret drift before anything reaches the cluster. Released via goreleaser + auto-tags.