This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-sealed-secret-encrypted-git-secret.md

1.2 KiB

Pattern: Sealed Secret / Encrypted Git Secret

Status: seed Readiness target: RL2 private beta Primary owners: NetKingdom, Railiance platform Genesis family: Secrets and cryptography

Problem

GitOps workflows need reproducible secret references, but plaintext secrets in Git are unacceptable.

Context

Use this pattern for bootstrap secrets, local development secrets, environment configuration, and recovery material that must be carried in versioned operational bundles.

Forces

  • Git gives review and history.
  • Secret plaintext must not be stored in Git.
  • Encryption recipients and rotation need ownership.
  • Bootstrap secrets should transition to runtime secret authority.

Solution

Store only encrypted secret payloads or sealed secret manifests in Git, with documented recipients, rotation, and bootstrap scope. Move runtime secret issuance to OpenBao where possible.

Verification

  • Plaintext secret scans pass.
  • Encryption recipients and owners are documented.
  • Decryption is limited to approved bootstrap or recovery contexts.
  • Runtime workloads do not depend on bootstrap root material.
  • Secret Zero Avoidance.
  • GitOps with Guardrails.
  • External Secrets Operator.
  • Break-glass Access.