ArgoCD Secrets Management: Sealed Secrets, External Secrets Operator, and SOPS

Calendar February 22, 2026
Cicd
Intermediate
Gitops-Secrets, Secrets-Management, Argocd-Patterns
Argocd, Gitops, Secrets, Sealed-Secrets, External-Secrets, Sops, Security
Argocd, Kubectl, Kubeseal, Sops, External-Secrets

ArgoCD Secrets Management#

GitOps says everything should be in Git. Kubernetes Secrets are base64-encoded, not encrypted. Committing base64 secrets to Git is equivalent to committing plaintext – anyone with repo access can decode them. This is the fundamental tension of GitOps secrets management.

Three approaches solve this, each with different tradeoffs.

Approach 1: Sealed Secrets#

Sealed Secrets encrypts secrets client-side so the encrypted form can be safely committed to Git. Only the Sealed Secrets controller running in-cluster can decrypt them.