Tooling

Infrastructure Secrets

Vault, External Secrets, SOPS, sealed-secrets — how secrets reach your pods.

For application-side secret stores see Secrets Management (Doppler / Infisical / etc.). This page covers how those values get into clusters and onto disk safely.

Vault-style centralized stores

  • HashiCorp Vault — the heavyweight; rotation, dynamic secrets, PKI, transit encryption. Open-source community edition + commercial Enterprise.
  • OpenBao — open-source fork of Vault that stayed MPL after HashiCorp's BSL relicense. The default OSS pick now.
  • AWS Secrets Manager / Parameter Store — cloud-native.
  • GCP Secret Manager — cloud-native.
  • Azure Key Vault — cloud-native.
  • Infisical — modern open-source alternative; nice UI.
  • Bitwarden Secrets Manager — newer; for teams already on Bitwarden.

Sync into Kubernetes

  • External Secrets Operator (ESO) — sync from Vault / cloud secret managers / Doppler / Infisical into native Secret resources. The default in 2026.
  • Vault Secrets Operator — HashiCorp's official.
  • Vault Agent Injector — sidecars that read secrets at runtime.
  • CSI Secrets Store Driver — mounts secrets as files; pairs with provider plugins.

Encrypted-in-git

  • SOPS (Mozilla, now CNCF) — encrypt YAML / JSON / .env files in-place with KMS / age / GPG. The default for GitOps workflows.
  • age — modern alternative to GPG; pairs with SOPS.
  • sealed-secrets (Bitnami) — encrypt k8s Secret resources to a public key in your cluster; only the controller can decrypt. Simple, GitOps-friendly.
  • git-crypt — transparent encryption of specific files.
  • @dotenvx/dotenvx — encrypted .env.vault files for non-cluster apps.

Workload identity (skip the secret entirely)

  • AWS IAM Roles for Service Accounts (IRSA) — pods get AWS creds via OIDC.
  • GCP Workload Identity — same idea.
  • Azure Workload Identity — same idea.
  • SPIFFE / SPIRE — generic workload identity framework; cloud-agnostic.
  • This is the right answer for "my pod needs to call S3" — don't store keys at all.

Rotation / dynamic secrets

  • Vault dynamic secrets — generate per-request DB credentials, AWS STS tokens, SSH keys.
  • AWS Secrets Manager rotation — built-in for RDS / DocumentDB / Redshift.
  • CloudNativePG — rotates Postgres credentials internally.
  • Manual rotation should be eliminated wherever possible.

Patterns to adopt

  • Don't put secrets in environment variables in plain ConfigMaps / repos. Always SOPS-encrypted, or pulled from ESO.
  • Workload identity > stored credentials. If the cloud supports it, use it.
  • Vault unseal automation — auto-unseal with KMS so a node restart doesn't take down the cluster's secrets.
  • Audit log everything — who read which secret. Vault / cloud secret managers do this natively.
  • Rotate on incident. Compromised key → assume the secret is fully gone; rotate within hours.
  • Don't share secrets across environments. Prod / staging / dev each have their own.

Detection / hygiene

  • gitleaks, TruffleHog, GitGuardian — scan history for accidental commits.
  • GitHub Secret Scanning + Push Protection — default-on for public repos.

Pick this if…

  • Default GitOps secrets: SOPS + age in the repo, External Secrets Operator at runtime.
  • You want a real secrets server: Vault (commercial) or OpenBao (OSS).
  • All-AWS / GCP / Azure: the cloud-native secret manager + workload identity.
  • Tiny cluster, no Vault, no central store: sealed-secrets.
  • App-tier (not infra): see Secrets Management.

On this page