Secret Management

Argo CD is un-opinionated about how secrets are managed. There are many ways to do it, and there’s no one-size-fits-all solution.

Many solutions use plugins to inject secrets into the application manifests. See Mitigating Risks of Secret-Injection Plugins below to make sure you use those plugins securely.

Here are some ways people are doing GitOps secrets:

• Bitnami Sealed Secrets
• GoDaddy Kubernetes External Secrets
• External Secrets Operator
• Hashicorp Vault
• Banzai Cloud Bank-Vaults
• Helm Secrets
• Kustomize secret generator plugins
• aws-secret-operator
• KSOPS
• argocd-vault-plugin
• argocd-vault-replacer

For discussion, see #1364

Mitigating Risks of Secret-Injection Plugins

Argo CD caches the manifests generated by plugins, along with the injected secrets, in its Redis instance. Those manifests are also available via the repo-server API (a gRPC service). This means that the secrets are available to anyone who has access to the Redis instance or to the repo-server.

Consider these steps to mitigate the risks of secret-injection plugins:

1. Set up network policies to prevent direct access to Argo CD components (Redis and the repo-server). Make sure your cluster supports those network policies and can actually enforce them.
2. Consider running Argo CD on its own cluster, with no other applications running on it.
3. Enable password authentication on the Redis instance (currently only supported for non-HA Argo CD installations).