ArgoCD Secrets Management: Sealed Secrets, External Secrets Operator, and SOPS

Calendar February 22, 2026
Cicd
Intermediate
Gitops-Secrets, Secrets-Management, Argocd-Patterns
Argocd, Gitops, Secrets, Sealed-Secrets, External-Secrets, Sops, Security
Argocd, Kubectl, Kubeseal, Sops, External-Secrets

ArgoCD Secrets Management#

GitOps says everything should be in Git. Kubernetes Secrets are base64-encoded, not encrypted. Committing base64 secrets to Git is equivalent to committing plaintext – anyone with repo access can decode them. This is the fundamental tension of GitOps secrets management.

Three approaches solve this, each with different tradeoffs.

Approach 1: Sealed Secrets#

Sealed Secrets encrypts secrets client-side so the encrypted form can be safely committed to Git. Only the Sealed Secrets controller running in-cluster can decrypt them.

Securing Docker-Based Validation Templates

Calendar February 22, 2026
Security
Intermediate
Docker-Compose-Hardening, Container-Security-Configuration, Secrets-Management, Network-Segmentation
Docker, Docker-Compose, Container-Security, Non-Root, Capabilities, Resource-Limits, Secrets-Management, Network-Isolation, Health-Checks
Docker, Docker-Compose, Trivy, Openssl

Securing Docker-Based Validation Templates#

Validation templates define the environment agents use to test infrastructure changes. If a template runs containers as root, mounts the Docker socket, or skips resource limits, every agent that copies it inherits those risks. This reference covers the security patterns every docker-compose validation template must follow.

1. Non-Root Execution#

Containers run as root by default. A vulnerability in a root-running process gives an attacker full control inside the container and a much larger attack surface for container escapes.