k8s gitops secrets

secrets and gitops and k8s


k8s gitops secrets

secrets and gitops and k8s


The idea that you can track your desired state (of entire clusters) in git and some tooling will realize it for you. Problem is secrets. Dumping plain secrets into git is a bad idea, especially if the repo is going to be public.



Secrets are encrypted with a public key and stored as a CRD. A controller in cluster will watch CRDs and decrypt with a private key, creating appropriate Secrets.


Secrets are stored with cloud platform specific secret managers (or Hashipcorp Vault). A controller watches for CRDs and retrieves the secrets.

Supports: aws, hashicorp vault, azure, alibaba, gcp

mozilla/sops based solutions

SOPS is the generic secret encryption tooling, additional tooling is needed to integrate with k8s tooling. Secrets are encrypted either with GPG key or cloud KMS keys. Tooling wrappers/plugins are used to decrypt the contents before being rendered/used as plain vars.


For helm specifically, individual helm vars are encrypted with GPG or cloud KMS. helm secrets ... wraps normal helm commands to decode the secrets values which can be used as normal helm vars in templating.


use git filters/commands to encrypt/decrypt files before git operations.