Secrets Management: SOPS & Sealed Secrets

This document outlines free and secure approaches to storing and deploying secrets in Kubernetes.

1. SOPS (Secret OPerationS)

Overview

Encrypt YAML files in Git using a public GPG key. Decrypt only at deploy time.

Setup

Generate GPG key (if not existing):
```
gpg --full-generate-key
```

Encrypt a secret:

sops --encrypt --pgp <GPG_KEY_ID> secret-values.yaml > secret-values.enc.yaml

Commit the encrypted file (.enc.yaml) to Git (safe to share).

Usage in CI/CD

GitHub Actions step to decrypt:

- name: Decrypt secrets
  run: |
    gpg --import private.key
    sops --decrypt secret-values.enc.yaml > secret-values.yaml

Use secret-values.yaml as helm --values input.

2. Sealed Secrets (Bitnami)

Overview

Kubernetes controller that decrypts SealedSecret objects into native Secret at runtime.
Uses cluster-only private key, so sealed secrets are safe in Git.

Installation

kubectl apply -f \
  https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.17.5/controller.yaml

Workflow

Create plain secret:

kubectl create secret generic db-creds \
  --from-literal=username=admin \
  --from-literal=password=s3cr3t \
  --dry-run=client -o yaml > secret.yaml

Seal it:

kubeseal < secret.yaml > sealedsecret.yaml

Commit sealedsecret.yaml to Git.
ArgoCD or manual kubectl apply -f sealedsecret.yaml will create the real Secret in the cluster.

3. Best Practices

Rotate keys: Regularly rotate GPG keys and SealedSecrets controller keys.
Audit logs: Enable audit logging in Kubernetes to track secret access.
Least privilege: Limit which namespaces/service accounts can decrypt secrets.

Document Version: 1.0
Date: 2025-06-21
Author: ArturChernets

1. SOPS (Secret OPerationS)​

Overview​

Setup​

Usage in CI/CD​

2. Sealed Secrets (Bitnami)​

Overview​

Installation​

Workflow​

3. Best Practices​

1. SOPS (Secret OPerationS)

Overview

Setup

Usage in CI/CD

2. Sealed Secrets (Bitnami)

Overview

Installation

Workflow

3. Best Practices