Infrastructure Secrets
Vault, External Secrets, SOPS, sealed-secrets — how secrets reach your pods.
For application-side secret stores see Secrets Management (Doppler / Infisical / etc.). This page covers how those values get into clusters and onto disk safely.
Vault-style centralized stores
- ★ HashiCorp Vault — the heavyweight; rotation, dynamic secrets, PKI, transit encryption. Open-source community edition + commercial Enterprise.
- ★ OpenBao — open-source fork of Vault that stayed MPL after HashiCorp's BSL relicense. The default OSS pick now.
- AWS Secrets Manager / Parameter Store — cloud-native.
- GCP Secret Manager — cloud-native.
- Azure Key Vault — cloud-native.
- Infisical — modern open-source alternative; nice UI.
- Bitwarden Secrets Manager — newer; for teams already on Bitwarden.
Sync into Kubernetes
- ★ External Secrets Operator (ESO) — sync from Vault / cloud secret managers / Doppler / Infisical into native
Secretresources. The default in 2026. - Vault Secrets Operator — HashiCorp's official.
- Vault Agent Injector — sidecars that read secrets at runtime.
- CSI Secrets Store Driver — mounts secrets as files; pairs with provider plugins.
Encrypted-in-git
- ★ SOPS (Mozilla, now CNCF) — encrypt YAML / JSON / .env files in-place with KMS / age / GPG. The default for GitOps workflows.
- ★ age — modern alternative to GPG; pairs with SOPS.
- sealed-secrets (Bitnami) — encrypt k8s
Secretresources to a public key in your cluster; only the controller can decrypt. Simple, GitOps-friendly. - git-crypt — transparent encryption of specific files.
@dotenvx/dotenvx— encrypted.env.vaultfiles for non-cluster apps.
Workload identity (skip the secret entirely)
- ★ AWS IAM Roles for Service Accounts (IRSA) — pods get AWS creds via OIDC.
- GCP Workload Identity — same idea.
- Azure Workload Identity — same idea.
- SPIFFE / SPIRE — generic workload identity framework; cloud-agnostic.
- This is the right answer for "my pod needs to call S3" — don't store keys at all.
Rotation / dynamic secrets
- Vault dynamic secrets — generate per-request DB credentials, AWS STS tokens, SSH keys.
- AWS Secrets Manager rotation — built-in for RDS / DocumentDB / Redshift.
- CloudNativePG — rotates Postgres credentials internally.
- Manual rotation should be eliminated wherever possible.
Patterns to adopt
- ★ Don't put secrets in environment variables in plain ConfigMaps / repos. Always SOPS-encrypted, or pulled from ESO.
- Workload identity > stored credentials. If the cloud supports it, use it.
- Vault unseal automation — auto-unseal with KMS so a node restart doesn't take down the cluster's secrets.
- Audit log everything — who read which secret. Vault / cloud secret managers do this natively.
- Rotate on incident. Compromised key → assume the secret is fully gone; rotate within hours.
- Don't share secrets across environments. Prod / staging / dev each have their own.
Detection / hygiene
- gitleaks, TruffleHog, GitGuardian — scan history for accidental commits.
- GitHub Secret Scanning + Push Protection — default-on for public repos.
Pick this if…
- Default GitOps secrets: SOPS + age in the repo, External Secrets Operator at runtime.
- You want a real secrets server: Vault (commercial) or OpenBao (OSS).
- All-AWS / GCP / Azure: the cloud-native secret manager + workload identity.
- Tiny cluster, no Vault, no central store: sealed-secrets.
- App-tier (not infra): see Secrets Management.