🔐 Managing Encrypted Secrets in K8s: A Guide to GitOps-Compatible Solutions 🔐
When deploying applications on Kubernetes, it’s crucial to securely manage secrets. In this post, we’ll explore three popular solutions that align with GitOps principles: SOPS, Sealed Secrets, and Vault.
1️⃣ SOPS (Secrets OPerationS) by Mozilla: SOPS allows you to encrypt, decrypt, and edit secrets in configuration files. Store encrypted secrets in your Git repo and decrypt them during the CI/CD process. However, SOPS doesn’t keep secrets encrypted within running pods.
# Encrypt secret with SOPS
sops --encrypt --pgp <gpg_key> secrets.yaml > secrets.enc.yaml
# Decrypt and apply secret
sops --decrypt secrets.enc.yaml | kubectl apply -f -2️⃣ Sealed Secrets by Bitnami: Sealed Secrets provides client-side encryption and server-side decryption in Kubernetes. A controller in your cluster automatically decrypts Sealed Secrets, creating corresponding Kubernetes Secret resources.
# Encrypt secret with kubeseal
kubectl create secret generic my-secret --dry-run=client --from-literal=my-key=my-value -o json | kubeseal --controller-name=sealed-secrets --format yaml > my-sealed-secret.yaml
# Apply SealedSecret
kubectl apply -f my-sealed-secret.yaml3️⃣ Vault by HashiCorp: Vault is a powerful secret management system that can be integrated with Kubernetes. Although not strictly GitOps, Vault keeps secrets encrypted until requested by authorized applications.
# Store secret in Vault
vault kv put secret/my-app password=supersecret
# Read secret from Vault in your app
curl -H "X-Vault-Token: <your_token>"
https://<vault_addr>/v1/secret/data/my-appSOPS and #SealedSecrets align with GitOps principles for managing secrets, while #Vault provides a more flexible, runtime-encryption-focused solution. Consider your specific requirements, existing tooling, and infrastructure when choosing the right approach. 💡
#Kubernetes #GitOps #SOPS #SealedSecrets #Vault #DevOps #security
