https://vo.rs/tags/secrets/Secrets - Tag - vo.rsHugo -- gohugo.ioenThis work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.Thu, 19 Dec 2024 10:00:00 +0000https://vo.rs/story/kubernetes-secrets-management-sops-sealed-secrets-or-external-secrets/<p>Kubernetes Secrets are not secret. That&rsquo;s the first thing nobody tells you. A <code>Secret</code> object is base64-encoded YAML sitting in etcd, and base64 is encoding, not encryption — anyone with <code>get secrets</code> on the namespace can read it back in plaintext with a single command. Encryption at rest in etcd helps a little, but the real problem turns up the moment you adopt GitOps: now you want everything in a repo, and committing a base64 blob of your database password to Git is the kind of decision that ends careers. So you reach for tooling. There are three serious contenders, and I&rsquo;ve run all of them in anger.</p>Thu, 19 Dec 2024 10:00:00 +0000