I'm the only Platform Engineer at my startup, and we're currently keeping our K8s ConfigMaps that hold secrets in a repo. My higher-ups are against using cloud provider secret managers or third-party solutions, as they prefer a fully cloud-agnostic approach and want to avoid costs. I've played around with Hashicorp Vault, ExternalSecrets, and AWS Secrets Manager in my previous roles, but now I'm looking into Bitnami Sealed Secrets and SOPS. I'd like to use SOPS mainly since our secrets are wrapped in ConfigMaps; I can encrypt them in our repo and then decrypt for our EKS Clusters. My question is: Is using SOPS for this purpose secure enough? I'm aware that ConfigMaps don't encrypt at-rest like Secrets do, but I'm wondering if this method is still a valid choice considering the security of access to the cluster is restricted.
2 Answers
Consider going with Sealed Secrets instead—it's often easier for beginners and can handle automated tasks. If you want advanced features like auditing and sharing, then Vault is the way to go. It really depends on how complex your needs are.
Honestly, setting up SOPS is worthwhile, but if you have the time, investing in Vault could pay off more in the long run. SOPS can work, but managing separate keys for different environments and teams means you'll have to be on top of key rotation, which can be a hassle.
Totally! You can stretch Sealed Secrets a good bit with tools like kubesealplus for more functionality.