BoltMCP Installation Docs

Sealed Secrets & SOPS

Manage BoltMCP's application Secrets in Git using Sealed Secrets or SOPS.

This page expands on the Alternatives noted in Cluster Prep. It covers GitOps-friendly ways to keep BoltMCP's three application Secrets (boltmcp-database, boltmcp-oidc, boltmcp-auth) encrypted at rest in version control.

Both approaches produce ordinary Secret resources that the chart consumes; the difference is how the source material lives at rest.

  • Sealed Secrets — encrypt a Secret with kubeseal against the cluster's public key, commit the resulting SealedSecret to Git, and the in-cluster controller decrypts it back into a regular Secret. Good when you don't have an external secrets manager.
  • SOPS — encrypt Secret YAML files with age / PGP / cloud KMS. Flux decrypts on apply natively; Argo CD supports SOPS via argocd-vault-plugin or helm-secrets.

In both cases the materialised Secret must end up named boltmcp-database / boltmcp-oidc / boltmcp-auth (or whatever you set secrets.<group>.name to) with the keys listed in Cluster Prep.