generated from coulomb/repo-seed
1.2 KiB
1.2 KiB
Pattern: Sealed Secret / Encrypted Git Secret
Status: seed Readiness target: RL2 private beta Primary owners: NetKingdom, Railiance platform Genesis family: Secrets and cryptography
Problem
GitOps workflows need reproducible secret references, but plaintext secrets in Git are unacceptable.
Context
Use this pattern for bootstrap secrets, local development secrets, environment configuration, and recovery material that must be carried in versioned operational bundles.
Forces
- Git gives review and history.
- Secret plaintext must not be stored in Git.
- Encryption recipients and rotation need ownership.
- Bootstrap secrets should transition to runtime secret authority.
Solution
Store only encrypted secret payloads or sealed secret manifests in Git, with documented recipients, rotation, and bootstrap scope. Move runtime secret issuance to OpenBao where possible.
Verification
- Plaintext secret scans pass.
- Encryption recipients and owners are documented.
- Decryption is limited to approved bootstrap or recovery contexts.
- Runtime workloads do not depend on bootstrap root material.
Related Patterns
- Secret Zero Avoidance.
- GitOps with Guardrails.
- External Secrets Operator.
- Break-glass Access.