github.com/argoproj/argo-cd/v2@v2.10.9/docs/operator-manual/secret-management.md

github.com/argoproj/argo-cd/v2@v2.10.9/docs/operator-manual/secret-management.md (about)

     1  # Secret Management
     2  
     3  Argo CD is un-opinionated about how secrets are managed. There are many ways to do it, and there's no one-size-fits-all solution.
     4  
     5  Many solutions use plugins to inject secrets into the application manifests. See [Mitigating Risks of Secret-Injection Plugins](#mitigating-risks-of-secret-injection-plugins)
     6  below to make sure you use those plugins securely.
     7  
     8  Here are some ways people are doing GitOps secrets:
     9  
    10  * [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
    11  * [External Secrets Operator](https://github.com/external-secrets/external-secrets)
    12  * [Hashicorp Vault](https://www.vaultproject.io)
    13  * [Bank-Vaults](https://bank-vaults.dev/)
    14  * [Helm Secrets](https://github.com/jkroepke/helm-secrets)
    15  * [Kustomize secret generator plugins](https://github.com/kubernetes-sigs/kustomize/blob/fd7a353df6cece4629b8e8ad56b71e30636f38fc/examples/kvSourceGoPlugin.md#secret-values-from-anywhere)
    16  * [aws-secret-operator](https://github.com/mumoshu/aws-secret-operator)
    17  * [KSOPS](https://github.com/viaduct-ai/kustomize-sops#argo-cd-integration)
    18  * [argocd-vault-plugin](https://github.com/argoproj-labs/argocd-vault-plugin)
    19  * [argocd-vault-replacer](https://github.com/crumbhole/argocd-vault-replacer)
    20  * [Kubernetes Secrets Store CSI Driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver)
    21  * [Vals-Operator](https://github.com/digitalis-io/vals-operator)
    22  
    23  For discussion, see [#1364](https://github.com/argoproj/argo-cd/issues/1364)
    24  
    25  ## Mitigating Risks of Secret-Injection Plugins
    26  
    27  Argo CD caches the manifests generated by plugins, along with the injected secrets, in its Redis instance. Those 
    28  manifests are also available via the repo-server API (a gRPC service). This means that the secrets are available to 
    29  anyone who has access to the Redis instance or to the repo-server.
    30  
    31  Consider these steps to mitigate the risks of secret-injection plugins:
    32  
    33  1. Set up network policies to prevent direct access to Argo CD components (Redis and the repo-server). Make sure your
    34     cluster supports those network policies and can actually enforce them.
    35  2. Consider running Argo CD on its own cluster, with no other applications running on it.
    36  3. [Enable password authentication on the Redis instance](https://github.com/argoproj/argo-cd/issues/3130) (currently
    37     only supported for non-HA Argo CD installations).