You may need to use Secrets, such tokens, passwords, or private keys, when you manage applications. GitOps allows you to deploy applications from Git repositories. If you save Secrets in Git repositories as plaintext, Secrets may be disclosed when you use them. Therefore, the GitOps system provides two solutions to help you enhance the security of Secrets.
GitOps provides the following solutions to help you manage Secrets:
Reference Secrets stored in Git repositories
Store encrypted Secrets in Git repositories
Reference Secrets stored in Git repositories
This solution maintains a Kubernetes resource manifest in a Git repository. The resources on the manifest reference Secrets stored in Key Management Service (KMS). When GitOps deploys a resource to a Container Service for Kubernetes (ACK) cluster, the operator obtains the corresponding Secret and creates a Kubernetes Secret in the ACK cluster.
You can use ExternalSecrets and Kubernetes Secret Store CSI Driver to implement this solution.
Distributed Cloud Container Platform for Kubernetes (ACK One) supports both methods. ACK One allows you to import Secrets from KMS to ACK clusters where your applications are deployed. For more information, see Use ack-secret-manager or csi-secrets-store-provider-alibabacloud to import secrets from KMS.
You can store Secrets in KMS, create an application manifest in the Git repository, and add the ExternalSecret and SecretProviderClass resources. You can also define how a workload uses Secrets.
Store encrypted Secrets in Git repositories
This solution encrypts Secrets and then stores the Secrets in a Kubernetes Secret manifest in a Git repository. The Secrets are decrypted after they are imported to the ACK clusters where your applications are deployed.
You can search for this solution in the open source community.