Secret Management

Kubernetes Secrets store sensitive data like passwords and API keys. While native Secrets are base64-encoded (not encrypted), several tools provide proper encryption and external secret store integration.

Sealed Secrets

Sealed Secrets encrypt secrets client-side so they can be safely stored in Git:

# Install the kubeseal CLI
brew install kubeseal

# Create a regular secret, then seal it
kubectl create secret generic db-creds \
  --from-literal=password=supersecret \
  --dry-run=client -o yaml | \
  kubeseal --format yaml > sealed-secret.yaml

# Apply the sealed secret (controller decrypts it in-cluster)
kubectl apply -f sealed-secret.yaml

# Verify the secret was created
kubectl get secret db-creds

External Secrets Operator

The External Secrets Operator syncs secrets from external providers like AWS Secrets Manager, HashiCorp Vault, or GCP Secret Manager:

# Install the operator
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets

# Check the operator is running
kubectl get pods -n external-secrets

Define an ExternalSecret resource that references your secret store:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: db-credentials
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: db-creds
  data:
    - secretKey: password
      remoteRef:
        key: secret/data/production/db
        property: password

Vault Integration

# Check external secret sync status
kubectl get externalsecrets
kubectl describe externalsecret db-credentials

# View synced secret (values are base64 encoded)
kubectl get secret db-creds -o jsonpath='{.data.password}' | base64 -d

Never store raw secrets in Git. Use sealed secrets for GitOps workflows or external secrets for centralized secret management.