Hi,

An idea to improve it would be to add a string generator in the value fields:

For example :

• Add a suffix button to generate string on click
• Add second suffix button to open a popup on click and configure generator: length, characters type, etc..

Describe the bug
The Copy Button does not work with Firefox.

It should be possible to copy sealed secrets with Firefox as well.

I am trying to install helm chart for kubeseal-webgui on k8s cluster provided in docker desktop.

followed steps mentioned in readme. Below is my values.yaml file.

I do have one doubt regarding api.url is this default value okay ? Do we need to expose this endpoint ourself or is it taken care by helm chart ?

replicaCount: 1

annotations: {}

api:
  # The value of api.url should be set to the public-accessible http endpoint (ingress url or OpenShift route).
  # api.url will be generated into config.json ConfigMap of the UI. This statically served JSON file
  # is used by the UI to locate the API.
  url: http://localhost:8080
  image:
    repository: kubesealwebgui/api
    tag: 3.1.0
  environment: {}
ui:
  image:
    repository: kubesealwebgui/ui
    tag: 3.1.0
image:
  pullPolicy: Always

nameOverride: ""
fullnameOverride: ""

# Optionally setup a display name for your kubeseal-webgui instance.
displayName: ""

# Set this value to false if you already have a default serviceaccount who is allowed to list namespaces.
serviceaccount:
  create: false

# Setup resources for the pod
resources:
  limits:
    cpu: 100m
    memory: 256Mi
  requests:
    cpu: 20m
    memory: 256Mi

# Optionally use a OpenShift-Route
# If 'hostname' is an empty string (""), OpenShift will create a hostname for you.
route:
  enabled: false
  hostname: ""
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: None

sealedSecrets:
  autoFetchCert: false
  controllerName: sealed-secrets-controller
  controllerNamespace: kube-system
  ## Public Certificate of your Sealed-Secrets Controller.
  ## Login to your cluster with kubectl.
  ## Run kubeseal --fetch-cert --controller-name <your-sealed-secrets-controller> --controller-namespace <sealed-secrets-controller-namespace>
  ## Paste Cert as multiline YAML
  cert: |
    -----BEGIN CERTIFICATE-----
    MIIEzDCCArSgAwIBAgIQTu139c2EK+zC/rwU4DxhYzANBgkqhkiG9w0BAQsFADAA
    ............................................
    ...........................................
    -----END CERTIFICATE-----

Getting below error on UI and not able to list any namespace , I have also fetched the cert.pem from kubeseal-controller and provided same in values file as mentioned in the project. I have no clue what is wrong in here.

Having some form of plugable authentication for this webapp would be nice.
I've had a lot of success using https://github.com/oauth2-proxy/oauth2-proxy for this purpose.

Describe the bug
When sealing secrets with multiline content or special characters like "äüö" the app shows an error.

Add newer version of the kubseal binary in the Dockerfile of the api.

Describe the bug
Add the ability to template arbitrary data keys included in sealed secret 0.16 in the webinterface/api
See bitnami-labs/sealed-secrets#445 regarding the syntax. ( .spec.data )

Expected behavior
Additional toggle or different fields for unsealed secrets, plain b64 encoded. Also some API ability would be nice.

It should be possible to dynamically add keys to encrypt into the Form.
The Bootstrap Form should be dynamic and have a Add key Button.
All encrypted keys should be generated into the output HTML Page as single encrypted value but also into a complete kubernetes object.

The Helm chart should Provide an optional ingress object besides the Openshift Route.

Fixes #138

Show the name of the kubernetes cluster where the app is running.

Show a image as site header instead of

KubeSeal-Web-Gui

The Application should get a metrics endpoint with the following metrics:

• Number of sealing operations
• Flask metrics: https://pypi.org/project/prometheus-flask-exporter/

https://dev.to/camptocamp-ops/implement-prometheus-metrics-in-a-flask-application-p18

The Helm Chart should get a optional value for automatically generating a ServiceMonitor for collecting the metrics with a kubernetes internal prometheus.

Add language support for english.

There should be a little tooltip after clicking the copy button for about 2-3 seconds.

Describe the bug
After deploy using helm chart I did port forwarding and the app could not list namespaces

To Reproduce
Just deploy and no namespace in list

Expected behavior
Be able to list namespace

Screenshots

Add support for encrypting binary data in sealed secret objects.
Maybe an optional upload button for providing the content of a file like e.g. a java keystore that should be encrypted.

Hi,

First off I think this project is really cool. I was thinking of building custom tooling on top of kubeseal until I found this app 🙂 .

I don't think it's a great idea to run the Flask development server in production environments, see https://github.com/Jaydee94/kubeseal-webgui/blob/master/Dockerfile.api#L24 .

Some alternatives:

• https://uwsgi-docs.readthedocs.io/en/latest/WSGIquickstart.html?highlight=flask#deploying-flask
• https://flask.palletsprojects.com/en/1.1.x/deploying/wsgi-standalone/#gunicorn

I could handle this task myself if you're interested.

Hello,

First off, awesome project!

I've deployed it succesfully on our OpenShift testenvironment (v4.9)

But when i'm trying the namespace dropdown i'm getting the following message:

Error while encoding sensitive data. Please contact your administrator and try again later.

Error message:
TypeError: Failed to fetch

serviceaccount.create is set to true.
i've checked if the (namespace list) clusterrole & clusterrolebinding is active on the cluster
and the service account is attached to the pod(s)

Do you have any pointers on how to troubleshoot this? I'm not seeing pointers in pod logs or namespace events...

Describe the bug
Ingress class provided by this chart only support set behavior by annotation.
So, to select ingress class, need specify an annotation kubernetes.io/ingress.class

But Kubernetes has deprecated this annotation
cf. https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#deprecating-the-ingress-class-annotation

This annotation is replaced by spec ingressClassName
cf . https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress

Expected behavior

• Add spec.ingressClassName in template ingress.yaml
• Add a variable ingress.class in values.yaml to set this new spec

Describe the bug
Currently every file from the repo gets copied when COPY is used. We can and should ignore quiet a few of them like __pycache__ dirs.

To Reproduce
Steps to reproduce the behavior:

1. Build container
2. look for __pycache__ directories

Expected behavior
Those development files should not be part of the container image

Describe the bug
When building the API container, we get a warning about not using a virtual env together with the root account:

WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

To Reproduce
Steps to reproduce the behavior:

1. Go to the checked out source
2. build the API container by typing docker build -t api:latest -f Dockerfile.api .
3. Search for the warning above

Expected behavior
No such warning should appear while building the container

Add Support for a dropdown field instead of typing the name space name. The app should determine all namespaces from the current kubernetes cluster and provide them as a dropdown field.

The UI should show a collapsable section with some additional infos about the application like:

• the current build version of the api.
• the current build version of the ui.
• the version of the used kubeseal binary to encrypt secrets

Currently the trash bin icon is displayed even if there is only one key-value pair to encrypt. The list of key-value pairs should at least contain one item. So the trash bin icon should only be displayed from the second element and so on...

Provide a optional configuration for an e-mail adress as contact for troubles with kubeseal-webgui.

An optional configuration option to exclude namespaces from list of displayed namespaces in the ui.

Describe the bug
the fetch script moved with the new docker image to ${APP_HOME}/kubeseal-webgui/bin/kubeseal-fetch.sh

the helm chart is referencing the script at /kubeseal-webgui/bin/kubeseal-fetch.sh which doesn't exist anymore

To Reproduce
Deploy the helm chart 4.0.0 with sealedSecrets.autoFetchCert: true

Expected behavior
Should reference the correct script

Logs
Error: failed to start container "fetch-cert": Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "exec: "/kubeseal-webgui/bin/kubeseal-fetch.sh": stat /kubeseal-webgui/bin/kubeseal-fetch.sh: no such file or directory": unknown

Create random flask secret key on startup

All python functions should have type hints.

Replace Flask with Fastapi

In addition to the sealed key output there should be a complete yaml output for the complete sealed-secret to copy.

Hi,

This tool is great, thank you !!

An idea to improve it would be to permit configure scope and allow the generation of secret cluster-wide and namespace-wide.

cf. https://github.com/bitnami-labs/sealed-secrets#scopes

Add github action for automatic docker image deployment to dockerhub

Secret names must be lowercase and only contain alphanumeric characters and dashes. See kubernetes conventions for api objects.
See RFC-1123

Add support for multiline cleartext secrets or submitting complete files.

After we migrated to fastapi, we can get rid of the mock. The dummy return values when not using kubernetes can be returned by the origin api by using a specific toggle (MOCK_ENABLED).
So we don`t have to maintain multiple code bases.

there is no workload with the label pp, so the service is pointing into the void.

Add better effects on the copy button.

(Javascript and CSS magic.)

Optional dark Mode for the webgui.
Just for fun ☺️

It should be possible to encrypt multiple sealed secret objects at once. Currently you have to create them successively.

Use pyproject.toml to setup the api instead of using setup.py

I have deployed kubeseal-webgui with helm chart with autofetch to true in the values.yaml.

But I got this error.

  Warning  Failed     16s (x3 over 36s)  kubelet            Error: failed to create containerd task: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "/kubeseal-webgui/bin/kubeseal-fetch.sh": permission denied: unknown

When a secret is rendered we currently only display a complete SealedSecrets YAML object.
Sometimes you just need the value of a specific key.

We could display all rendered key-value pairs inside a collapsable if a single value is needed. There we can also display a little copy button for comfortable usage 😉

Currently it is required to manually configure the public certificate to seal secrets. It should be possible to optionally retrieve the public cert of the sealed secrets controller by providing the namespace and the controller name.

Thanks you for the tools.
Great job !!

Could we improve it by adding annotation handler ?

In fact Sealed Secret encrypt data but also annotations. So adding annotation on SealedSecret object will not add it when unseal it.
We have to add first annotation on the Secret ressource and only then we can seal it in order to take annotation in count.

Can we improve the GUI for letting us add some annotations like :

sealedsecrets.bitnami.com/managed
sealedsecrets.bitnami.com/namespace-wide
sealedsecrets.bitnami.com/cluster-wide

Describe the bug
After sealed the key and value I click copy button but it doesn't work

To Reproduce
Steps to reproduce the behavior:

1. Sealed key and value pairs
2. Click on Encrypt
3. Click on Copy
4. See error

Expected behavior
Copy button works

Screenshots

Add a little popup/tooltip that explains a detailed Usage of kubeseal webgui. It should be more detailed than the labels of the Form Inputs.
Could be solved with: https://popper.js.org/

See: https://harness.io/blog/helm-chart-repo/

The hover effect on the page should be modified.
The Sealed-Secret shouldnt expand on the next line when u hover the html element.

users request the namespaces from the kubeseal-webui api,
which in return accesses the kubernetes api using a service
account.
given that the role associated with the service account has
not restrictions on which namespace it can see, all available
namespaces are returned. therefor a user can see all namespaces
even when they themself have no access to it.

kubernetes support impersonating users when performing
requests against its API, which would allow the kubeseal-webui
API to limit its namespace result to the namespaces relevant
to the current user.

currently kubeseal-webui has no concept of users and/or groups.
this information however can be passed on e.g. via headers.

proposal

add support for reading user information from request headers,
and use it to dispatch impersonated kubernetes api requests.

we have deployed kubeseal-webui behind a reverse proxy which
performs user authentication and can forward the authentication
information via headers (e.g. X-Forwarded-User).

given that the impersonation support in the python library
is limited, i would suggest to limit impersonation to
users for now (as opposed to users and groups)

this feature must be explicitly enabled by admins in environments
where the authentication information can be trusted, otherwise
users can make requests with rogue authentication headers:

• enable_impersonation (default: false)
  use provided user information and dispatch kubernetes
  requests with impersonation information
• impersonation_user_header (default: X-Forwarded-User)
  incoming header to look for user information. if empty/not
  set, downstream requests to the kubernetes API will not
  be made just as before (i.e. without any impersonation data)

the role resource must also be adjusted, to include the
impersonation permission (must also be explicitly enabled)

- apiGroups: [""]
  resources: ["users"]
  verbs: ["impersonate"]