Sealed Secrets encrypt the Secret resources into a SealedSecret using asymmetric encryption.
A secret could look like this:
And you want to store this secret in Git so that it is versioned. Storing a plain-text secret is always bad practice as the git repository can get shared everywhere in the world.
Sealed Secrets encrypt the secret and only the Sealed Secrets controller can decrypt the SealedSecret.
A SealedSecret looks like this:
Sealed Secrets allows secrets to be stored inside Git, which means it allows GitOps to be used. Git becomes the source of truth, but only the Kubernetes cluster canread the secrets.
Another solution for managing secrets is Hashicorp Vault. However, the source of truth for secrets is moved to Hashicorp Vault, which is not GitOps friendly.
Depending on the use case, you may prefer Hashicorp Vault for multi-clusters and to support multiple application types.