Seamless Secret Management in GitOps With SOPS and age
GitOps has a famously awkward edge case: you want everything in Git, but you can’t commit a plaintext database password to a repository. The usual workarounds — a separate secrets manager, a wall of kubectl create secret commands, a shared password vault that nobody keeps in sync — all break the “Git is the source of truth” promise. SOPS (Secrets OPerationS) and age solve this neatly. Together they let you commit encrypted secrets straight into Git, review them in pull requests, and decrypt them only where and when they’re actually needed. The plaintext never touches the repo; the ciphertext lives right next to the code it belongs to. ...