Secrets Management Decision Framework: From POC to Production

Calendar February 22, 2026
Kubernetes
Intermediate
Secret-Management, Kubernetes-Security, Security-Architecture
Secrets, Sealed-Secrets, External-Secrets, Vault, Security, Decision-Framework
Kubectl, Kubeseal, External-Secrets, Vault

The Secret Zero Problem#

Every secrets management system has the same fundamental challenge: you need a secret to access your secrets. Your Vault token is itself a secret. Your AWS credentials for SSM Parameter Store are themselves secrets. This is the “secret zero” problem – there is always one secret that must be bootstrapped outside the system.

Understanding this helps you make pragmatic choices. No tool eliminates all risk. The goal is to reduce the blast radius and make rotation possible.

ArgoCD Secrets Management: Sealed Secrets, External Secrets Operator, and SOPS

Calendar February 22, 2026
Cicd
Intermediate
Gitops-Secrets, Secrets-Management, Argocd-Patterns
Argocd, Gitops, Secrets, Sealed-Secrets, External-Secrets, Sops, Security
Argocd, Kubectl, Kubeseal, Sops, External-Secrets

ArgoCD Secrets Management#

GitOps says everything should be in Git. Kubernetes Secrets are base64-encoded, not encrypted. Committing base64 secrets to Git is equivalent to committing plaintext – anyone with repo access can decode them. This is the fundamental tension of GitOps secrets management.

Three approaches solve this, each with different tradeoffs.

Approach 1: Sealed Secrets#

Sealed Secrets encrypts secrets client-side so the encrypted form can be safely committed to Git. Only the Sealed Secrets controller running in-cluster can decrypt them.