Sealed Secrets & SOPS
Manage BoltMCP's application Secrets in Git using Sealed Secrets or SOPS.
This page expands on the Alternatives noted in Cluster Prep. It covers GitOps-friendly ways to keep BoltMCP's three application Secrets (boltmcp-database, boltmcp-oidc, boltmcp-auth) encrypted at rest in version control.
Both approaches produce ordinary Secret resources that the chart consumes; the difference is how the source material lives at rest.
- Sealed Secrets — encrypt a
Secretwithkubesealagainst the cluster's public key, commit the resultingSealedSecretto Git, and the in-cluster controller decrypts it back into a regularSecret. Good when you don't have an external secrets manager. - SOPS — encrypt
SecretYAML files with age / PGP / cloud KMS. Flux decrypts on apply natively; Argo CD supports SOPS viaargocd-vault-pluginorhelm-secrets.
In both cases the materialised Secret must end up named boltmcp-database / boltmcp-oidc / boltmcp-auth (or whatever you set secrets.<group>.name to) with the keys listed in Cluster Prep.