Declarative secret management for GitOps with Kapitan
In this post I would like to compare different ways to manage secrets in code, especially relevant to Kubernetes but also in general with a more broad reach.
I have already introduced with “Managing secrets with Kapitan” the approach we promote, but with the release of Tesoro, our new “secrets” admission controller, it’s time to review the different approaches and show why we prefer our way.
When talking about approaches for managing secrets, the solutions that normally come to mind are the excellent Mozilla Sops and Bitnami Sealed Secrets (I will get to Vault in a second).
For Mozilla Sops, an excellent introduction is https://itnext.io/managing-kubernetes-secrets-securely-with-gitops-b8174b4f4d30
For Bitnami Sealed Secrets, you can have a look here: https://aws.amazon.com/blogs/opensource/managing-secrets-deployment-in-kubernetes-using-sealed-secrets/
However, while they are excellent for handling already existing secrets, they add nothing to the process of creating the secrets or rather…
