Secrets & image updates

Secrets in GitOps; auto image bumps.

Advanced12 min · lesson 10 of 12

GitOps has one awkward question: secrets cannot sit in Git as plaintext, yet Git is the source of truth. Three common answers. Sealed Secrets encrypts a Secret with a cluster-side controller’s key so only that cluster can decrypt it — the SealedSecret in Git is safe. The External Secrets Operator keeps secrets in a real store (Vault, cloud secrets manager) and materializes them in-cluster from a reference in Git. SOPS encrypts values in Git and decrypts at render time. All keep plaintext out of the repo.

externalsecret.yaml (in Git)
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata: { name: db-creds, namespace: payments }
spec:
secretStoreRef: { name: vault, kind: ClusterSecretStore }
target: { name: db-creds }
data:
- secretKey: password
remoteRef: { key: payments/db, property: password }
# Git holds only the REFERENCE; the real secret stays in Vault
# and is synced into a Secret in-cluster

Image updates and progressive delivery

Two adjacent capabilities. Argo CD Image Updater watches registries and, when a new image matching a policy appears, writes the new tag/digest back to Git (or overrides it), so image bumps become GitOps changes without a human editing YAML. And Argo Rollouts extends Deployments with canary and blue-green strategies driven by metrics, so a new version rolls out progressively and aborts on bad metrics. Both fit the GitOps model — the desired state, and its safe rollout, stay declarative.

Keep the decryption keys and secret-store access tight
Whichever secrets approach you use, the trust moves to a key or a store: the Sealed Secrets controller key, the ESO service account’s access to Vault, or the SOPS key Argo CD uses. Whoever holds those can decrypt your secrets, so protect them like crown jewels, scope the operator’s access to least privilege, and never let the plaintext round-trip through Git or Argo CD logs. GitOps secrets are only as safe as the key that unlocks them.