Sealed Secrets is a Kubernetes tool and controller designed to address the common problem of securely managing sensitive information, such as passwords, API keys, and other secrets, within a Git-based configuration management system. The core purpose of Sealed Secrets is to enable the safe storage of secrets in public or shared repositories, mitigating the risk of accidental exposure. It achieves this by encrypting Kubernetes Secrets into a custom resource called `SealedSecret`.

The main functionality revolves around two key components: a cluster-side controller and a client-side utility named `kubeseal`. The controller, deployed within the Kubernetes cluster, is responsible for decrypting `SealedSecret` resources and creating corresponding standard Kubernetes `Secret` objects. The `kubeseal` utility, on the other hand, is used to encrypt the original Kubernetes Secrets into `SealedSecret` resources. This encryption process uses asymmetric cryptography, ensuring that only the controller, running within the target cluster, can decrypt the secrets. This one-way encryption guarantees that even if the `SealedSecret` is exposed, the original secret remains protected.

The process begins with a user creating a standard Kubernetes `Secret` or a YAML file representing the desired secret. The `kubeseal` utility then takes this secret as input and encrypts it, producing a `SealedSecret` resource. This `SealedSecret` is safe to store in a Git repository or any other location, even if it's publicly accessible. When the `SealedSecret` is applied to the Kubernetes cluster, the controller automatically detects it and decrypts the encrypted data, creating a regular Kubernetes `Secret` object within the specified namespace. This standard `Secret` can then be used by pods and other Kubernetes resources as needed.

A key feature of Sealed Secrets is its ability to act as a template for secrets. The `SealedSecret` resource includes a `template` section, which allows users to define the metadata (labels, annotations) and other properties of the resulting `Secret`. This provides a declarative way to manage not only the secret data itself but also its associated configuration. The `template` section supports the use of the Sprig function library, enabling dynamic secret generation and customization.

The installation process involves deploying the controller into the Kubernetes cluster, typically using a YAML manifest, Kustomize, or a Helm chart. The `kubeseal` utility can be installed on the user's local machine using various methods, including Homebrew, MacPorts, Linux package managers, or by building from source. The `kubeseal` utility requires access to the controller's public key (certificate) to perform encryption. By default, `kubeseal` fetches the certificate from the controller at runtime, but it also supports offline usage by specifying a certificate file.

Sealed Secrets also offers features for secret rotation and management. The controller automatically renews the encryption key periodically, and users can also trigger key renewal manually. The tool supports different scopes for `SealedSecret` resources, controlling how they can be used across namespaces. The default "strict" scope ensures that a `SealedSecret` can only be decrypted in the same namespace and with the same name. Other scopes, such as "namespace-wide" and "cluster-wide," provide more flexibility, allowing secrets to be renamed or used across different namespaces, depending on the security requirements. The use of scopes ensures that the secrets are not accidentally exposed to unauthorized users.

In essence, Sealed Secrets provides a robust and user-friendly solution for securely managing secrets in Kubernetes, enabling GitOps workflows and promoting best practices for sensitive data handling. It addresses the critical need to protect secrets throughout their lifecycle, from creation to deployment, while simplifying the management of these critical resources.