bitnami-labs/sealed-secrets

Sealed Secrets solves a specific problem that teams using Kubernetes (a system for running containerized applications) run into when they want to store all their configuration in a version control system like Git: regular Kubernetes secrets are only base64-encoded, not encrypted, so you cannot safely commit them to a repository, especially a public one. Anyone who can read the file can read the secret. The project provides a way to encrypt secrets before they go into Git so that the encrypted version is safe to store anywhere. The encrypted file is called a SealedSecret. When you apply it to your Kubernetes cluster, a controller running inside the cluster decrypts it and creates the real secret automatically. Only that controller can perform the decryption, so even the person who created the SealedSecret cannot reverse it outside the cluster. The system has two pieces: a controller that runs inside the cluster and handles decryption, and a command-line tool called kubeseal that you run on your own machine to do the encryption. You pipe your regular Kubernetes secret into kubeseal, it contacts the cluster to fetch the public key, encrypts the data, and outputs a SealedSecret file that you can safely commit. The controller holds the matching private key and never exposes it. Scopes let you control where a sealed secret can be used: locked to a specific namespace and name, locked to a specific namespace but any name, or usable cluster-wide. This prevents one team from accidentally using another team's secrets. The controller rotates its encryption keys on a schedule and can re-encrypt older sealed secrets with the new key. Backup and manual key management options are documented for cases where you need to recover secrets without cluster access. Installation options include Helm, Kustomize, Homebrew, and pre-built binaries for Linux and macOS. The full README is longer than what was shown.