From 6b3e84f46519c0099ea72c7603f8f2ee245e4639 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sun, 8 Mar 2026 19:49:48 +0000
Subject: [PATCH] deploy Sealed Secrets controller for encrypted secret
 management

Adds Sealed Secrets (Bitnami) to the platform stack so cluster users can
encrypt secrets with a public key and commit SealedSecret YAMLs to git.
The in-cluster controller decrypts them into regular K8s Secrets.

- New module: sealed-secrets (namespace + Helm chart v2.18.3, cluster tier)
- k8s-portal setup script: adds kubeseal CLI install for Linux and Mac
---
 stacks/platform/main.tf                       |  8 ++++
 .../files/src/routes/setup/script/+server.ts  | 22 +++++++++
 .../platform/modules/sealed-secrets/main.tf   | 46 +++++++++++++++++++
 3 files changed, 76 insertions(+)
 create mode 100644 stacks/platform/modules/sealed-secrets/main.tf

diff --git a/stacks/platform/main.tf b/stacks/platform/main.tf
index 9da650fd..3431851c 100644
--- a/stacks/platform/main.tf
+++ b/stacks/platform/main.tf
@@ -432,6 +432,14 @@ module "cnpg" {
   tier   = local.tiers.cluster
 }
 
+# -----------------------------------------------------------------------------
+# Sealed Secrets — encrypts secrets for safe git storage
+# -----------------------------------------------------------------------------
+module "sealed-secrets" {
+  source = "./modules/sealed-secrets"
+  tier   = local.tiers.cluster
+}
+
 # -----------------------------------------------------------------------------
 # NVIDIA — GPU device plugin
 # -----------------------------------------------------------------------------
diff --git a/stacks/platform/modules/k8s-portal/files/src/routes/setup/script/+server.ts b/stacks/platform/modules/k8s-portal/files/src/routes/setup/script/+server.ts
index 696ab6dc..0f1b18e7 100644
--- a/stacks/platform/modules/k8s-portal/files/src/routes/setup/script/+server.ts
+++ b/stacks/platform/modules/k8s-portal/files/src/routes/setup/script/+server.ts
@@ -92,6 +92,19 @@ else
     echo "[OK] kubelogin installed"
 fi
 
+# Install kubeseal
+if command -v kubeseal &>/dev/null; then
+    echo "[OK] kubeseal already installed"
+else
+    echo "[..] Installing kubeseal..."
+    KUBESEAL_VERSION=\$(curl -fsSL -o /dev/null -w "%{url_effective}" https://github.com/bitnami-labs/sealed-secrets/releases/latest | grep -o '[^/]*\$')
+    curl -fsSLO "https://github.com/bitnami-labs/sealed-secrets/releases/download/\${KUBESEAL_VERSION}/kubeseal-\${KUBESEAL_VERSION#v}-linux-amd64.tar.gz"
+    tar -xzf "kubeseal-\${KUBESEAL_VERSION#v}-linux-amd64.tar.gz" kubeseal
+    \$SUDO mv kubeseal "\$INSTALL_DIR/"
+    rm -f "kubeseal-\${KUBESEAL_VERSION#v}-linux-amd64.tar.gz"
+    echo "[OK] kubeseal installed"
+fi
+
 # Write kubeconfig
 mkdir -p ~/.kube
 cat > ~/.kube/config-home << 'KUBECONFIG_EOF'
@@ -146,6 +159,15 @@ else
     echo "[OK] kubelogin installed"
 fi
 
+# Install kubeseal
+if command -v kubeseal &>/dev/null; then
+    echo "[OK] kubeseal already installed"
+else
+    echo "[..] Installing kubeseal..."
+    brew install kubeseal
+    echo "[OK] kubeseal installed"
+fi
+
 # Write kubeconfig
 mkdir -p ~/.kube
 cat > ~/.kube/config-home << 'KUBECONFIG_EOF'
diff --git a/stacks/platform/modules/sealed-secrets/main.tf b/stacks/platform/modules/sealed-secrets/main.tf
new file mode 100644
index 00000000..aa9965d9
--- /dev/null
+++ b/stacks/platform/modules/sealed-secrets/main.tf
@@ -0,0 +1,46 @@
+variable "tier" { type = string }
+
+# -----------------------------------------------------------------------------
+# Namespace
+# -----------------------------------------------------------------------------
+resource "kubernetes_namespace" "sealed_secrets" {
+  metadata {
+    name = "sealed-secrets"
+    labels = {
+      tier = var.tier
+    }
+  }
+}
+
+# -----------------------------------------------------------------------------
+# Sealed Secrets — encrypts secrets for safe git storage
+# https://github.com/bitnami-labs/sealed-secrets
+# -----------------------------------------------------------------------------
+resource "helm_release" "sealed_secrets" {
+  namespace        = kubernetes_namespace.sealed_secrets.metadata[0].name
+  create_namespace = false
+  name             = "sealed-secrets"
+  atomic           = true
+  timeout          = 300
+
+  repository = "https://bitnami-labs.github.io/sealed-secrets"
+  chart      = "sealed-secrets"
+  version    = "2.18.3"
+
+  values = [yamlencode({
+    crds = {
+      create = true
+    }
+
+    resources = {
+      requests = {
+        cpu    = "50m"
+        memory = "64Mi"
+      }
+      limits = {
+        cpu    = "250m"
+        memory = "256Mi"
+      }
+    }
+  })]
+}