# Pattern: Sealed Secret / Encrypted Git Secret Status: seed Readiness target: RL2 private beta Primary owners: NetKingdom, Railiance platform Genesis family: Secrets and cryptography ## Problem GitOps workflows need reproducible secret references, but plaintext secrets in Git are unacceptable. ## Context Use this pattern for bootstrap secrets, local development secrets, environment configuration, and recovery material that must be carried in versioned operational bundles. ## Forces - Git gives review and history. - Secret plaintext must not be stored in Git. - Encryption recipients and rotation need ownership. - Bootstrap secrets should transition to runtime secret authority. ## Solution Store only encrypted secret payloads or sealed secret manifests in Git, with documented recipients, rotation, and bootstrap scope. Move runtime secret issuance to OpenBao where possible. ## Verification - Plaintext secret scans pass. - Encryption recipients and owners are documented. - Decryption is limited to approved bootstrap or recovery contexts. - Runtime workloads do not depend on bootstrap root material. ## Related Patterns - Secret Zero Avoidance. - GitOps with Guardrails. - External Secrets Operator. - Break-glass Access.