Hey everyone! Happy Wednesday! I'm diving into my homelab Kubernetes setup and I've been working on implementing GitOps with ArgoCD. While I'm figuring out my secrets management, I've hit a snag with sensitive information that isn't classified as secrets. Specifically, I'm concerned about things like hostnames, domains, and IP addresses being exposed on GitHub. For instance, my ingress configurations include my purchased domain, and even though I'm only using internal DNS records, I want to keep that info private.
I've read that FluxCD has a feature for post-build variable substitution that could address this, but I'm hoping to find a way to manage it using Kustomize or ArgoCD instead. Does anyone have suggestions for handling this kind of sensitive data? Am I being overly cautious? Thanks!
5 Answers
Another option is to just make your repository private if that's a major concern.
I faced a similar issue with sensitive non-secrets. For actual secrets, I utilize the External Secrets Operator, but I also wanted a way to template sensitive data. The Argo CD Vault Plugin can be a potential solution, although the setup can be tricky. I've been looking into other options like KSOPS that also work with Argo CD.
ArgoCD can perform substitutions too, similar to the vault plugin. Just a heads up though, I've tried the AVP and found it quite temperamental. Everything needs to be perfect, and it gets tricky with using value files. My workaround has been to deploy two charts—one for syncing secrets with the External Secrets Operator and the other for the main app with helm lookups. Still testing that out.
Honestly, why have sensitive info in a public GitHub repo at all? You could consider making it private.
Curious where these non-secrets are defined? Are they in ingresses, certificates, or somewhere else?
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux