kubeseal --fetch-cert: Seal Offline in CI
kubeseal --fetch-cert downloads the sealed-secrets controller public certificate so you can seal secrets offline with --cert.
CI runners often cannot reach the cluster API. Fetch the public cert once, store it, and seal with --cert so no live connection is needed.
What it does
kubeseal --fetch-cert connects to the sealed-secrets controller and prints its public certificate to stdout. That certificate is all kubeseal needs to encrypt, so saving it lets later kubeseal --cert calls run without any cluster access.
Common usage
# export the public cert once (it is not secret)
kubeseal --fetch-cert \
--controller-name sealed-secrets \
--controller-namespace sealed-secrets > pub-cert.pem
# seal offline in CI using the saved cert
kubeseal --cert pub-cert.pem --format yaml < secret.yaml > sealed.yamlOptions
| Flag | What it does |
|---|---|
| --fetch-cert | Print the controller public certificate |
| --cert <file|url> | Seal using a local or remote public cert (offline) |
| --controller-name <name> | Controller deployment name |
| --controller-namespace <ns> | Controller namespace |
In CI
The public certificate is not sensitive, so commit it or store it as a build artifact and seal with --cert in pipelines that have no kube access. Refresh the cert when the controller rotates its key (by default every 30 days, though existing keys are retained for decryption).
Common errors in CI
"error: cannot fetch certificate: Get ... connection refused" means no route to the controller; fetch the cert from a machine that can reach the cluster. "error: cannot get sealed secret service" means the --controller-name or namespace is wrong. Sealing with an outdated --cert still works as long as the controller kept the matching key.