This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-sealed-secret-encrypted-git-secret.md

45 lines
1.2 KiB
Markdown

# Pattern: Sealed Secret / Encrypted Git Secret
Status: seed
Readiness target: RL2 private beta
Primary owners: NetKingdom, Railiance platform
Genesis family: Secrets and cryptography
## Problem
GitOps workflows need reproducible secret references, but plaintext
secrets in Git are unacceptable.
## Context
Use this pattern for bootstrap secrets, local development secrets,
environment configuration, and recovery material that must be carried in
versioned operational bundles.
## Forces
- Git gives review and history.
- Secret plaintext must not be stored in Git.
- Encryption recipients and rotation need ownership.
- Bootstrap secrets should transition to runtime secret authority.
## Solution
Store only encrypted secret payloads or sealed secret manifests in Git,
with documented recipients, rotation, and bootstrap scope. Move runtime
secret issuance to OpenBao where possible.
## Verification
- Plaintext secret scans pass.
- Encryption recipients and owners are documented.
- Decryption is limited to approved bootstrap or recovery contexts.
- Runtime workloads do not depend on bootstrap root material.
## Related Patterns
- Secret Zero Avoidance.
- GitOps with Guardrails.
- External Secrets Operator.
- Break-glass Access.