Cloud Intermediate
Sealed Secrets — Secrets in Git¶
Sealed SecretsSecurityGitOps 3 min read
Encrypted secrets for GitOps. Safely storing secrets in Git repositories.
The Problem¶
Kubernetes Secrets are base64 encoded (not encrypted). You can’t commit them to Git. Sealed Secrets solve this.
Workflow¶
# Create a secret
kubectl create secret generic db-creds \
--from-literal=password=s3cret --dry-run=client -o yaml > secret.yaml
# Encrypt it
kubeseal --format=yaml < secret.yaml > sealed-secret.yaml
# Commit sealed-secret.yaml to Git
# Only the cluster with the private key can decrypt
Alternatives¶
- Sealed Secrets — open-source, Bitnami
- SOPS — Mozilla, encrypts values in YAML
- External Secrets Operator — syncs from Vault, AWS SM, Azure KV
Summary¶
Sealed Secrets or External Secrets Operator = secrets in GitOps. Never commit plaintext secrets.
Need Help with Implementation?¶
Our team has experience designing and implementing modern architectures. We’re happy to help.