Securing secrets in the GitOps Era

Your Kubernetes secrets are just Base64 encoded, not encrypted. Learn two powerful patterns to secure your GitOps workflow.

#1about 8 minutes

Understanding the fundamentals and benefits of GitOps

GitOps uses a Git repository as the single source of truth for declaratively managing infrastructure and application deployments.

#2about 5 minutes

The security risk of storing secrets in Git

Storing Kubernetes secrets directly in a Git repository is insecure because the values are only Base64 encoded, not truly encrypted.

#3about 15 minutes

Encrypting secrets in Git with Sealed Secrets

Sealed Secrets is a Kubernetes operator that uses public-key cryptography to safely encrypt secrets before they are stored in a Git repository.

#4about 3 minutes

Evaluating the pros and cons of Sealed Secrets

While Sealed Secrets are easy to configure and integrate with GitOps, they can be cumbersome for frequent value changes and history retrieval.

#5about 7 minutes

Managing secrets with external secret managers

External secret managers like HashiCorp Vault or cloud provider solutions offer centralized control, web UIs, and easier secret rotation.

#6about 2 minutes

Integrating external secret managers into Kubernetes

Applications can access secrets from external managers by using provider-specific SDKs or by using a Secret Store CSI driver to sync them as native Kubernetes secrets.

#7about 18 minutes

Q&A on GitOps secret management practices

The speaker answers audience questions on topics including key management strategies, multi-tenancy, secure transmission, and CI/CD pipeline integration.