Secrets management in GitOps workflow

[mmorejon]

The management of sensitive information and its storage in version control systems such as Git involves additional complexity to avoid this data being in plain text.

Currently there are multiple systems whose mission is to cover this need, but the decision is not easy, there are differences depending on the platform used, storage costs, disaster recovery techniques, among other elements. I think it would be interesting and timely to identify how teams should approach this issue, such as:

• what characteristics the system used must meet
• how to automate the generation of secret objects in code repositories
• where the encryption keys used should be stored
• object renewal techniques when changing the encryption key
• techniques or recommendations to remove sensitive information in plain text from version control

[o6uoq]

+1 for the above and any patterns/best practice vis-a-vis the likes of SOPS, HashiCorp Vault, etc.

[roberthstrand]

This topic will be covered by the @open-gitops/gitops-security content subgroup. If anyone wants to join and help, check out issue #128 to volunteer.