[chakspak]

This article didn't add anything to the conversation.

"Secret management" (i.e. having a non-ClickOps way to deploy secrets and a layer of security so that they're more than just not-configmaps) has been a black hole that has eluded our team for some time.

Should I use SOPS? Sealed Secrets? Vault? KMS? How does this integrate with our GitOps engine? Kustomize has no sensible way to pass secrets built in. ArgoCD actually has to be rebuilt from source to even try any of these options out.

Our current "best" practice is using Helm + Terraform, bootstrapping secrets with Terraform Cloud, and ensuring all services run in their own isolated namespace and service account. This feels inadequate.

At this point, I really have no idea how people are using secrets in the wild.