The secrets-management landscape
SOPS, Sealed Secrets, ESO, Vault.
SOPS is one of several answers to “how do we handle secrets,” and they suit different needs. SOPS: encrypt static secrets in Git, simple, GitOps-friendly, key-managed. Sealed Secrets: a Kubernetes controller encrypts Secrets to a cluster-side key so the SealedSecret is safe in Git — k8s-specific, simple. External Secrets Operator (ESO): sync secrets from an external store (Vault, cloud) into k8s Secrets — no secret material in Git at all, just references. Vault: a full secrets platform with dynamic secrets, leasing, and PKI.
Choosing (and combining)
Rough guidance: reach for SOPS when you want simple, tool-agnostic encrypted secrets in Git and are comfortable managing a key (ideally via KMS) — it is the low-friction default for GitOps and IaC. Use Sealed Secrets for a pure-Kubernetes, no-extra-infra option. Use ESO or Vault when you want secrets to live outside Git in a dedicated store with rotation, dynamic issuance, and central audit, accepting the operational cost. Many organizations combine them — SOPS for config-adjacent static secrets, Vault for dynamic, high-value credentials.