SEALED-SECRETS
The pattern that finally makes GitOps + secrets compatible.
Definition
The controller generates an RSA pair, exposes the public key. Developers use kubeseal CLI to encrypt a Secret YAML into a SealedSecret. The SealedSecret can be committed to Git in clear text (unreadable by humans); on apply, the controller decrypts it into a native Secret. Widely adopted with Argo CD / Flux CD for EDI pipelines.
Origin
Created by Bitnami (now VMware Tanzu Labs), open-source under Apache 2.0.
Example in context
A SealedSecret committed in Git that, once applied, becomes a native Secret carrying the AS2 private key.