I'm currently using **sealed-secrets** for encrypting my secret YAMLs since it meshes well with **ArgoCD** when unsealed in the cluster. Right now, I keep secrets in a private Git repository, seal them using a script, and sync everything into the GitOps repo's folders. I've considered **Vault**, but I'm unsure about its licensing and the complexity of managing it. In cases where security isn't a top concern, are there better alternatives to what I'm doing? Thanks for any insights!
5 Answers
If you’re using this setup in a homelab, it’s probably sufficient for now. You could explore deploying Vault or Passbolt later if needed. For production use, though, it's a bit concerning; it’s similar to SOPS, which is easy to use but may not scale well. What issues are you anticipating with scaling?
A lot of people recommend using External Secrets Operator, though they've mentioned some support issues lately. I think it’s still a solid choice for new projects, but it's worth considering their current support situation. What do you think? Would you still go with them?
Have you considered OpenBao as an alternative to Vault? The licensing issue with Vault can be a hassle, but OpenBao is simpler to manage. Given that you're in the cloud, both AWS and Azure offer native services that integrate nicely with External Secrets Operator. If sealed secrets meet your needs now, it’s worth asking why you’d change things up.
If you're a 1Password user, their connector for Kubernetes might be a really handy option for secret management. Just something to think about if you're looking for tools that play well with K8s!
I've been using Infisical with their operator to sync secrets directly into native K8s secrets. It's open-source with a nice UI and I think they also have a cloud option if you prefer that route.
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads