github.com/argoproj/argo-cd/v3@v3.2.1/docs/operator-manual/secret-management.md (about)

     1  # Secret Management
     2  
     3  There are two general ways to populate secrets when doing GitOps: on the destination cluster, or in Argo CD during 
     4  manifest generation. We strongly recommend the former, as it is more secure and provides a better user experience.
     5  
     6  For further discussion, see [#1364](https://github.com/argoproj/argo-cd/issues/1364).
     7  
     8  ## Destination Cluster Secret Management
     9  
    10  In this approach, secrets are populated on the destination cluster, and Argo CD does not need to directly manage them.
    11  [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets), [External Secrets Operator](https://github.com/external-secrets/external-secrets),
    12  and [Kubernetes Secrets Store CSI Driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver) are examples of this style of secret management.
    13  
    14  This approach has two main advantages:
    15  
    16  1) Security: Argo CD does not need to have access to the secrets, which reduces the risk of leaking them.
    17  2) User Experience: Secret updates are decoupled from app sync operations, which reduces the risk of unintentionally
    18     applying Secret updates during an unrelated release.
    19  
    20  We strongly recommend this style of secret management.
    21  
    22  Other examples of this style of secret management include:
    23  * [aws-secret-operator](https://github.com/mumoshu/aws-secret-operator)
    24  * [Vault Secrets Operator](https://developer.hashicorp.com/vault/docs/platform/k8s/vso)
    25  
    26  ## Argo CD Manifest Generation-Based Secret Management
    27  
    28  In this approach, Argo CD's manifest generation step is used to inject secrets. This may be done using a 
    29  [Config Management Plugin](config-management-plugins.md) like [argocd-vault-plugin](https://github.com/argoproj-labs/argocd-vault-plugin).
    30  
    31  **We strongly caution against this style of secret management**, as it has several disadvantages:
    32  
    33  1) Security: Argo CD needs access to the secrets, which increases the risk of leaking them. Argo CD stores generated 
    34     manifests in plaintext in its Redis cache, so injecting secrets into the manifests increases risk.
    35  2) User Experience: Secret updates are coupled with app sync operations, which increases the risk of unintentionally
    36     applying Secret updates during an unrelated release.
    37  3) Rendered Manifests Pattern: This approach is incompatible with the "Rendered Manifests" pattern, which is 
    38     increasingly becoming a best practice for GitOps.
    39  
    40  Many users have already adopted generation-based solutions, and we understand that migrating to an operator-based 
    41  solution can be a significant effort. Argo CD will continue to support generation-based secret management, but we will 
    42  not prioritize new features or improvements that solely support this style of secret management.
    43  
    44  ### Mitigating Risks of Secret-Injection Plugins
    45  
    46  Argo CD caches the manifests generated by plugins, along with the injected secrets, in its Redis instance. Those
    47  manifests are also available via the repo-server API (a gRPC service). This means that the secrets are available to
    48  anyone who has access to the Redis instance or to the repo-server.
    49  
    50  Consider these steps to mitigate the risks of secret-injection plugins:
    51  
    52  1. Set up network policies to prevent direct access to Argo CD components (Redis and the repo-server). Make sure your
    53     cluster supports those network policies and can actually enforce them.
    54  2. Consider running Argo CD on its own cluster, with no other applications running on it.