Managing secrets in a GitOps workflow
WHAT IT TESTS: secrets in declarative pipelines. OUTLINE: never commit plaintext; encrypt with Sealed Secrets or SOPS, or reference an external store via External Secrets Operator. RED FLAG: base64-encoding a Secret and calling it secure.
WHAT IT TESTS: whether you can keep secrets out of Git while staying declarative. ANSWER OUTLINE: never commit plaintext or merely base64-encoded Secrets, since base64 is not encryption. Use Sealed Secrets, where a cluster controller holds a private key and only it can decrypt the committed encrypted blob; or SOPS for encrypted files; or the External Secrets Operator to pull from Vault, AWS Secrets Manager, etc. RED FLAG: treating base64 as secure or storing real credentials in the repo.
Read the original → interview
- #gitops
- #secrets
- #security
- #sealed-secrets
- #kubernetes
Get five bites like this every day.
Tezvyn delivers a daily feed of 60-second tech bites with quizzes to lock in what you learn.