Secrets Management


sealed-secrets could be used to store secrets into Kubernetes with Argo-CD.

Fetch the certificate that you will use to encrypt your secrets, and store it into .secrets/<CLOUD>/<ENV>/sealed-secrets/cert.pem :

❯ kubeseal --fetch-cert --controller-name=sealed-secrets -n kube-system > .secrets/aws/staging/sealed-secrets/

Create a SealedSecrets from a file:

❯ make kubeseal-encrypt CLOUD=aws ENV=staging \
    FILE=.secrets/aws/staging/kube-prometheus-stack/object-store.yaml \
    NAME=thanos-objstore-config NAMESPACE=monitoring \
    > ./gitops/argocd/apps/aws/staging/apps/thanos-objstore-config.yaml


Sops is used to manage secrets with FluxCD.

Create for each cloud provider and environment an Age key. Store it into:


Put your sensitive data into the directory .secrets or .secrets/<CLOUD_PROVIDER>/<ENV>/<APPLICATION>

Then deploy the Age key into a Kubernetes secret:

❯ make sops-age-secret CLOUD=<CLOUD_PROVIDER> ENV=<ENV> NAMESPACE=flux-system

External Secrets Operator

ESO is a Kubernetes operator which read informations from external APIs and automatically injects the values into a Kubernetes Secret.

Usage on Portefaix:

  • AWS Secrets Manager
  • Google Secrets Manager
  • Azure Key Vault
  • AKeyless

Last modified February 23, 2024: feat(hugo): refactoring to fresh Hugo (cf7d6fc)