Hey everyone! I'm setting up Vault and the Vault operator in my home Kubernetes cluster to manage secrets. I'm curious about the best practices for automating Vault's management, specifically around creating key-value pairs and policies in a declarative way. Ideally, I'd like to integrate this process with Argo CD. Does anyone have suggestions or experiences to share?
4 Answers
Have you looked into Bank Vaults? They might be able to do exactly what you're looking for!
We handle Vault management through Terraform, using it to manage auth, backends, and policies. For installation, we use Flux with Helm since we have around 800 clients relying on it, so automation is key!
Though I haven't implemented it yet, I've heard great things about github-sops. It seems like a solid choice for managing secrets through Git and could work well with ArgoCD. Check out the documentation—once set up, it appears to be a straightforward method for dealing with secrets, especially when people join or leave the team.
Our setup also employs Terraform with git-crypt for encryption. When changes are merged, a pipeline triggers the application of those changes automatically. We restrict write access to the pipeline user only. The review process can be tedious since we have to pull branches for reviewing. I considered using Atlantis or ArgoCD instead, but couldn't figure out the encryption setup in time.
How are you handling secret encryption at rest? I'm struggling with the review process too—it feels slow for quick changes!