docs: endorse secrets operators, caution against plugins (#21629) #21631
Conversation
) Signed-off-by: Michael Crenshaw <[email protected]>
🔴 Preview Environment stopped on BunnyshellSee: Environment Details | Pipeline Logs Available commands (reply to this comment):
|
There was a problem hiding this comment.
I think this is solid as is. I suggested maybe adding the secret csi driver. We could potentially work in this talk about different approaches to managing secrets https://www.youtube.com/watch?v=FVaaqP7_AJg&t=1s - but it doesn't directly address the issues with hydration secrets management so I don't mind skipping. I actually think we need an updated talk on this.
| In this approach, secrets are populated on the destination cluster, and Argo CD does not need to directly manage them. | ||
| [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) and [External Secrets Operator](https://github.com/external-secrets/external-secrets) | ||
| are examples of this style of secret management. |
There was a problem hiding this comment.
I'm sure we could list lost but I think just listing two examples is great. I might add the csi-driver because it's between these three you represent all the major styles of secrets management. https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/v1.4.0
There was a problem hiding this comment.
Added CSI! I thought about adding a link to Andrew's talk, but left it out since he explicitly endorses plugin-style secrets management. Agreed that we need an updated talk.
Signed-off-by: Michael Crenshaw <[email protected]>
| @@ -1,29 +1,43 @@ | |||
| # Secret Management | |||
|
|
|||
| Argo CD is un-opinionated about how secrets are managed. There are many ways to do it, and there's no one-size-fits-all solution. | |||
| There are two general ways to populate secrets when doing GitOps: on the destination cluster, or in Argo CD during | |||
| manifest hydration. We strongly recommend the former, as it is more secure and provides a better user experience. | |||
There was a problem hiding this comment.
Maybe we need to make hydration an official feature before recommending it? Unless you don't mean the new Argo CD hydration feature...
There was a problem hiding this comment.
In this case I mean hydration in general, not the source hydrator feature
There was a problem hiding this comment.
can we use the term "manifest generation" to avoid this confusion?
There was a problem hiding this comment.
Makes sense. My hope is that over time the industry will adopt "hydration" as the generic term for manifest transformation. But for now "generation" is probably clearer in this context.
| * [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) | ||
| * [External Secrets Operator](https://github.com/external-secrets/external-secrets) | ||
| * [Hashicorp Vault](https://www.vaultproject.io) | ||
| * [Bank-Vaults](https://bank-vaults.dev/) | ||
| * [Helm Secrets](https://github.com/jkroepke/helm-secrets) | ||
| * [Kustomize secret generator plugins](https://github.com/kubernetes-sigs/kustomize/blob/fd7a353df6cece4629b8e8ad56b71e30636f38fc/examples/kvSourceGoPlugin.md#secret-values-from-anywhere) | ||
| * [aws-secret-operator](https://github.com/mumoshu/aws-secret-operator) | ||
| * [KSOPS](https://github.com/viaduct-ai/kustomize-sops#argo-cd-integration) | ||
| * [argocd-vault-plugin](https://github.com/argoproj-labs/argocd-vault-plugin) | ||
| * [argocd-vault-replacer](https://github.com/crumbhole/argocd-vault-replacer) | ||
| * [Kubernetes Secrets Store CSI Driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver) | ||
| * [Vals-Operator](https://github.com/digitalis-io/vals-operator) | ||
| * [argocd-secret-replacer](https://github.com/mmalyska/argocd-secret-replacer) |
There was a problem hiding this comment.
Maybe put the list at the bottom of the file so ppl can refer to it if they really really want to use a different approach?
There was a problem hiding this comment.
I think that if there are options here that we're generally supportive of (like maybe the aws-secret-operator) it could make sense to include links. But otoh this list is already quite out of date. Maybe it's better to speak generally and then allow people to find their own solutions that match our general description.
There was a problem hiding this comment.
That makes sense. Maybe a smaller list just with the big players then? aws-secret-operator, hashicorp vault are 2 names that I think we should keep as I believe that they provide similar functionality compared to sealed-secrets for example. Isn't it the case?
Closes #21629