Hey everyone! I've been diving into Kubernetes and have set up a homelab cluster, where I'm utilizing GitOps practices with ArgoCD. As I plan out my secrets management strategy, a related question has popped up for me. How do I keep sensitive parameters, like hostnames, domains, and IP addresses, safe when they aren't classified as secrets? For instance, some of my ingresses contain my purchased domain, and even though I'm using internal DNS records, I prefer not to expose that info on GitHub. I've seen that FluxCD has a post-build variable substitution feature that might address this, but I'm keen to find a solution using Kustomize or ArgoCD. Any insights or additional solutions? Am I being overly cautious here? Thanks!
1 Answer
I've faced a similar issue! For actual secrets, I use the External Secrets Operator, but I wanted a way to handle "sensitive non-secrets" too. You might want to check out the Argo CD Vault Plugin, though getting it set up can be a bit tricky. KSOPS is another alternative that might work with Argo CD as well.
I’ve been thinking about using Vault for the External Secrets Operator, so I'll definitely look into the ArgoCD plugin! Thanks!