// the find
bitnami/sealed-secrets
A Kubernetes controller and tool for one-way encrypted Secrets
Sealed Secrets solves the one remaining blocker to full GitOps adoption: you can commit every Kubernetes resource to git except Secrets. It works by encrypting secrets with a public key, storing the ciphertext as a CRD, and having a cluster-side controller hold the only private key that can decrypt them. Aimed at platform teams running GitOps workflows who want secrets in git without the obvious disaster of storing them in plaintext.
The namespace and secret name are baked into the encrypted payload by default, which prevents a class of privilege-escalation attacks where a user copies a sealed secret into a namespace they can read. Automatic sealing key renewal every 30 days is on by default and old keys are retained, so existing secrets keep working without any re-encryption ceremony. The offline cert workflow (`--fetch-cert` to a PEM file) is a practical escape hatch for GKE private clusters and CI pipelines where kubeseal can't reach the Kubernetes API. The Helm chart ships with optional Prometheus rules and a Grafana dashboard, which is unusually complete for a tool of this scope.
If you lose the cluster and didn't back up the sealing key Secrets, you've lost everything — there's no recovery path and the FAQ is admirably honest about this, but it means your disaster recovery plan now has an opaque new dependency. The `cluster-wide` scope exists specifically to work around cases where you don't know the target namespace at seal time, but using it collapses the namespace-binding security guarantee entirely, and nothing in the tooling warns you that you've just made that trade. Key rotation is confusingly named — the docs correctly explain it's not real rotation (old keys are never deleted), but teams consistently misread this and think rotating the sealing key protects them from a prior key leak. The controller requires a restart to pick up manually created or deleted sealing keys, which is a surprisingly manual step for an otherwise automated system.