Argo CD is un-opinionated about how secrets are managed. There are many ways to do it, and there's no one-size-fits-all solution.
Many solutions use plugins to inject secrets into the application manifests. See Mitigating Risks of Secret-Injection Plugins below to make sure you use those plugins securely.
Here are some ways people are doing GitOps secrets:
- Bitnami Sealed Secrets
- External Secrets Operator
- Hashicorp Vault
- Banzai Cloud Bank-Vaults
- Helm Secrets
- Kustomize secret generator plugins
- Kubernetes Secrets Store CSI Driver
For discussion, see #1364
Mitigating Risks of Secret-Injection Plugins¶
Argo CD caches the manifests generated by plugins, along with the injected secrets, in its Redis instance. Those manifests are also available via the repo-server API (a gRPC service). This means that the secrets are available to anyone who has access to the Redis instance or to the repo-server.
Consider these steps to mitigate the risks of secret-injection plugins:
- Set up network policies to prevent direct access to Argo CD components (Redis and the repo-server). Make sure your cluster supports those network policies and can actually enforce them.
- Consider running Argo CD on its own cluster, with no other applications running on it.
- Enable password authentication on the Redis instance (currently only supported for non-HA Argo CD installations).