Secret Management

Argo CD is un-opinionated about how secrets are managed. There are many ways to do it, and there’s no one-size-fits-all solution.

Many solutions use plugins to inject secrets into the application manifests. See Mitigating Risks of Secret-Injection Plugins below to make sure you use those plugins securely.

Here are some ways people are doing GitOps secrets:

• Bitnami Sealed Secrets
• External Secrets Operator
• Hashicorp Vault
• Bank-Vaults
• Helm Secrets
• Kustomize secret generator plugins
• aws-secret-operator
• KSOPS
• argocd-vault-plugin
• argocd-vault-replacer
• Kubernetes Secrets Store CSI Driver
• Vals-Operator
• argocd-secret-replacer

For discussion, see #1364

Mitigating Risks of Secret-Injection Plugins

Argo CD caches the manifests generated by plugins, along with the injected secrets, in its Redis instance. Those manifests are also available via the repo-server API (a gRPC service). This means that the secrets are available to anyone who has access to the Redis instance or to the repo-server.

Consider these steps to mitigate the risks of secret-injection plugins:

1. Set up network policies to prevent direct access to Argo CD components (Redis and the repo-server). Make sure your cluster supports those network policies and can actually enforce them.
2. Consider running Argo CD on its own cluster, with no other applications running on it.