At my recent company, I was part of a team managing over 10+ Kubernetes clusters, ensuring high availability and efficient deployment across multiple regions.
I got a question about this solution. How are you going to decrypt the secrets from within the K8s cluster? Is ArgoCD just pushing the changes and the K8s cluster do the decryption? Does this work only in the cloud via KMS?
I'm interested in a solution that also works locally on k3d or kind
While I appreciate the approach of a single tool for all secrets, I am not 100% sure that I want to store encrypted secrets on Git.
That's why I don't like Sealed secrets much. It's great that the keys don't leave the cluster but if you destroy the cluster you need to back them up anyway.
Also leaking keys is so common that I know I'll mess up. It's like putting secrets in .env and then adding .env to gitignore. You know you will mess it up eventually once and you won't even notice.
I got a question about this solution. How are you going to decrypt the secrets from within the K8s cluster? Is ArgoCD just pushing the changes and the K8s cluster do the decryption? Does this work only in the cloud via KMS?
I'm interested in a solution that also works locally on k3d or kind
Great question,
ArgoCD actually sync changes through Kustomize files, and there's a ksops tool which enables secrets to be automatically decrypted on apply.
SOPS is not bound to using GCP KMS, it can also use AWS KMS, Azure Key Vault, HashiCorp Vault, age, and PGP.
Locally you could either do it through self-hosted HashiCorp Vault, age or PGP if you want to completely avoid the cloud. Depending upon your setup.
While I appreciate the approach of a single tool for all secrets, I am not 100% sure that I want to store encrypted secrets on Git.
That's why I don't like Sealed secrets much. It's great that the keys don't leave the cluster but if you destroy the cluster you need to back them up anyway.
Also leaking keys is so common that I know I'll mess up. It's like putting secrets in .env and then adding .env to gitignore. You know you will mess it up eventually once and you won't even notice.