Secrets on Kubernetes #SOPs is a way to create encrypted secrets that you can store in git. You can, if you wish, decrypt that confidential data, transform it into a kubernetes secret object and apply that to a cluster. Users/processes who need to update secrets will need the ability to encrypt (but not decrypt) Users/processes that deploy will need the ability to decrypt.

Sealed Secrets

Is a way to encrypt secrets (stored elsewhere, or even by SOPs) and generate a kubernetes deployable object that is encrypted. Users/processes that need to update secrets need access to the source of truth (the original data before sealing), and to encrypt. Users/processes that need to deploy need no access to encrypt/decrypt whatsoever, as that is taken care of by the sealed secrets controller on the k8s cluster. If you wish, you can use SOPs as a way to store encrypted values in git. Vault is in the same playing field, but is more of a service. It’s not recommended to use sealed secrets as a source of truth, as it’s not trivial to decrypt sealed secrets. This is by design.

Use SOPs and Sealed Secrets together!

Hashikorp Consul can be made high availibilty with Consul

Vault: git wouldn’t be single source of truth anymore