Safely handle secrets on your GitOps flow
GitOps is a way of implementing Continuous Deployment for cloud-native applications. It aims to provide a developer-centric experience when operating infrastructure, utilizing tools developers are already familiar with, including Git and Continuous Deployment tools.
GitOps = IaC + PRs + CI/CD
Another central feature of a modern application is the usage of environment variables to store your application’s configuration, per the third item on the Twelve-Factor methodology. However, in most use-cases, these configs are sensible. How can one (safely) keep them inside a git repository? By the end of this article, you’ll know one of the ways to do so. I’ll show you examples using ArgoCD, Helm (including a plugin named helm-secrets), and SOPS.
ArgoCD team advocates that they should be un-opinionated on how to manage secrets, as “there’s just so many ways to do it, and there’s no one-size-fits-all solution that satisfies everyone’s use case.” However, helm-secrets maintainers tell us that we have two options integrating helm-secrets with ArgoCD. I’ve decided to extend Argo’s base image, adding some improvements on top.
We’ll focus on three files:
- Dockerfile: where we’ll extend ArgoCD base image with helm-secrets and kubectl
