Secrets & image updates
Secrets in GitOps; auto image bumps.
GitOps has one awkward question: secrets cannot sit in Git as plaintext, yet Git is the source of truth. Three common answers. Sealed Secrets encrypts a Secret with a cluster-side controller’s key so only that cluster can decrypt it — the SealedSecret in Git is safe. The External Secrets Operator keeps secrets in a real store (Vault, cloud secrets manager) and materializes them in-cluster from a reference in Git. SOPS encrypts values in Git and decrypts at render time. All keep plaintext out of the repo.
apiVersion: external-secrets.io/v1beta1kind: ExternalSecretmetadata: { name: db-creds, namespace: payments }spec:secretStoreRef: { name: vault, kind: ClusterSecretStore }target: { name: db-creds }data:- secretKey: passwordremoteRef: { key: payments/db, property: password }# Git holds only the REFERENCE; the real secret stays in Vault# and is synced into a Secret in-cluster
Image updates and progressive delivery
Two adjacent capabilities. Argo CD Image Updater watches registries and, when a new image matching a policy appears, writes the new tag/digest back to Git (or overrides it), so image bumps become GitOps changes without a human editing YAML. And Argo Rollouts extends Deployments with canary and blue-green strategies driven by metrics, so a new version rolls out progressively and aborts on bad metrics. Both fit the GitOps model — the desired state, and its safe rollout, stay declarative.