All projects

kryptos — Secret-Sealing CLI/TUI

GoKubernetesSecurityCLITUI

A from-scratch Go tool that turns declarative YAML secret configs into Kubernetes SealedSecrets. A cobra CLI plus a charm/huh TUI, with a two-pass derive engine, value generators, and a JSON schema for editor autocomplete — built to gate CI without cluster access.

View Code on GitHub

Seal pipeline

Diagram: Seal pipeline

kryptos started as a way to stop hand-running kubeseal and grew into a repo-agnostic tool: a small TOML file points it at any GitOps repo’s config tree and output layout. It reads a declarative config describing which secrets exist and how to produce them, resolves the values, seals them, and writes SealedSecrets ready to commit.

Configs declare intent, not material

Each application gets a YAML config listing its secrets, their keys, and how each value comes to be — a generator keyword (secure, strong, apikey, passphrase), a derived field, or an externally supplied value. A published JSON schema gives editors autocomplete and validation while writing them. No config ever contains a credential.

Deterministic value resolution

Non-interactive runs resolve every value through an explicit precedence chain: command-line --set beats a values file, which beats an environment variable, which beats the generator, which beats the default. Derived fields — htpasswd entries, JWT/HMAC material, self-signed TLS, SSH keypairs, rendered Go templates — evaluate in two passes, so a template can reference another derived value without fragile ordering rules.

Built to gate CI

validate checks every config against the schema, audit detects drift between configs and the sealed files in the GitOps tree, and diff previews exactly which keys a reseal would change — all offline, with no cluster access. That makes secret hygiene a pipeline gate instead of a convention. The tool itself releases through goreleaser on auto-cut SemVer tags, with a Makefile installer that fetches and checksum-verifies the right binary.

Key Technical Highlights

  • Full-lifecycle CLI + TUI: An interactive TUI plus seal, rotate, validate, audit, diff, layout, and dry-run — covering the full secret lifecycle from generation to drift detection.
  • Two-pass derive engine: Eight derive types (htpasswd, cluster_secret, render, jwt/hmac, tls, ssh_keypair, file) resolve in two passes so a derived value can consume another derived value in a template.
  • Generators, not literals: Value keywords (secure, strong, apikey, passphrase) mean secrets are generated, never pasted — the config declares intent, the tool produces the material.
  • CI-gating without a cluster: validate, diff, and audit run against the config and the sealed output offline, so a pipeline can catch secret drift before anything reaches the cluster. Released via goreleaser + auto-tags.

Value resolution and the two-pass derive engine

Diagram: Value resolution and the two-pass derive engine
Explicit flags win over files, files over environment, environment over generators; derives run twice so templates can consume other derives.

Technologies

Gocobracharm/huhSealedSecretsJSON Schemagoreleaser