generated from coulomb/repo-seed
45 lines
1.2 KiB
Markdown
45 lines
1.2 KiB
Markdown
# Pattern: Sealed Secret / Encrypted Git Secret
|
|
|
|
Status: seed
|
|
Readiness target: RL2 private beta
|
|
Primary owners: NetKingdom, Railiance platform
|
|
Genesis family: Secrets and cryptography
|
|
|
|
## Problem
|
|
|
|
GitOps workflows need reproducible secret references, but plaintext
|
|
secrets in Git are unacceptable.
|
|
|
|
## Context
|
|
|
|
Use this pattern for bootstrap secrets, local development secrets,
|
|
environment configuration, and recovery material that must be carried in
|
|
versioned operational bundles.
|
|
|
|
## Forces
|
|
|
|
- Git gives review and history.
|
|
- Secret plaintext must not be stored in Git.
|
|
- Encryption recipients and rotation need ownership.
|
|
- Bootstrap secrets should transition to runtime secret authority.
|
|
|
|
## Solution
|
|
|
|
Store only encrypted secret payloads or sealed secret manifests in Git,
|
|
with documented recipients, rotation, and bootstrap scope. Move runtime
|
|
secret issuance to OpenBao where possible.
|
|
|
|
## Verification
|
|
|
|
- Plaintext secret scans pass.
|
|
- Encryption recipients and owners are documented.
|
|
- Decryption is limited to approved bootstrap or recovery contexts.
|
|
- Runtime workloads do not depend on bootstrap root material.
|
|
|
|
## Related Patterns
|
|
|
|
- Secret Zero Avoidance.
|
|
- GitOps with Guardrails.
|
|
- External Secrets Operator.
|
|
- Break-glass Access.
|