Secrets Management with External Secrets, Argo CD and GitOps | Colin Wilson

[utterances-bot]

Secrets Management with External Secrets, Argo CD and GitOps | Colin Wilson

How to manage Kubernetes secrets using External Secrets and Argo CD with GitOps

https://colinwilson.uk/2022/08/22/secrets-management-with-external-secrets-argo-cd-and-gitops/

[cjroebuck]

Hi Colin, nice write-up.. i'm just wondering, doesn't seem like there is a way to bootstrap this declaratively as we can't store the vault-token or equivalent safely in the git repo, so we always have to have this immediate kubectl create secret... step in order to bring up every new cluster.

[colinwilson]

Thanks. 👍

Yep. This is an issue. I plan to cover how to solve this in a follow up post, along with alternative authentication methods... soon-ish.

[mattbator]

In researching different methods for securely pumping Secrets into Argo deployments this is easily among the best explained examples I've seen - kudos!

Similar to @cjroebuck, also interested to get your thoughts on fully automated deployment of a fresh cluster given the need to authenticate to your external secret store. I know ESO supports several auth methods for Vault, but it seems the only method that wouldn't require passing in some kind of token value would be with IRSA. That's a great option for those on EKS - but curious if you've come up with a more general purpose solution. Cheers!

[mlopez-eb]

Hi @colinwilson. Thank you for this awesome explanation of ESO. Was wondering if there was any update with that comment from @cjroebuck.

Your example really helped with my setup for EKS, but was wondering if you could do any example like this one with EKS

[sachajw]

HI Collin, this is genius! Thank you for taking the time to write this up. :-)