The question
“You’re using GitOps â everything goes through Git. How do you handle secrets?”
The wrong answer: base64-encode them and commit them as Kubernetes Secret objects. Base64 is not encryption. Anyone with read access to the repo has your secrets. If the repo is public, everyone does.
The slightly better wrong answer: use a private repo and just not think about it. This works until a deploy key leaks, someone joins and then leaves the company, or you need to rotate one secret and have to find every place it’s referenced.
There are three real answers. They make different tradeoffs.
The constraint
The constraint is actually tighter than “don’t commit secrets”. It’s: your Git repo should be safe to make public at any point, and secrets must be rotatable without touching Git.
If rotating a password requires a new commit, someone has to be awake to merge and deploy it. That’s not how you want to handle a 3am incident.
Option 1: External Secrets Operator + Vault
This is the most robust pattern and the one worth knowing for interviews.
The idea: secrets live in a dedicated secret store (HashiCorp Vault, or a cloud equivalent). A Kubernetes operator called ESO watches ExternalSecret CRD objects in the cluster and syncs the referenced secret into a real Kubernetes Secret. The CRD is safe to commit â it says where the secret lives, not what it is.
# This lives in Git â safe to commit
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: myapp-db-credentials
namespace: myapp
spec:
refreshInterval: 1h
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: myapp-db-credentials # the k8s Secret it creates
data:
- secretKey: DB_PASSWORD
remoteRef:
key: secret/myapp
property: db-password
Rotation: you update the secret in Vault. ESO syncs it to the cluster within refreshInterval. No Git commit, no deployment. The pod reads the updated Secret on the next restart (or immediately if you mount it as an env var and the app handles SIGHUP).
Audit trail: Vault logs every read and write. You know exactly which service account read which secret at what time.
The cost: you’re running Vault. For a homelab or small team, that’s an extra thing to operate. For production, it’s worth it.
Self-hosted setup:
# ClusterSecretStore â connects ESO to your Vault instance
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault
spec:
provider:
vault:
server: "http://sys-vault.sys-vault.svc.cluster.local:8200"
path: "secret"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "external-secrets"
ESO authenticates to Vault using the pod’s Kubernetes ServiceAccount token. Vault validates it against the cluster’s token review endpoint. No static credentials anywhere.
Option 2: Sealed Secrets
Sealed Secrets uses asymmetric encryption. The cluster holds a private key. You use the kubeseal CLI to encrypt a secret with the cluster’s public key. The resulting SealedSecret object is safe to commit â only the cluster can decrypt it.
# Encrypt a secret for committing to Git
kubectl create secret generic myapp-db \
--from-literal=DB_PASSWORD=hunter2 \
--dry-run=client -o yaml \
| kubeseal \
> sealed-secrets/myapp-db.yaml
The resulting YAML looks like:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: myapp-db
namespace: myapp
spec:
encryptedData:
DB_PASSWORD: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq...
This gets committed. The Sealed Secrets controller in the cluster decrypts it and creates the real Secret automatically.
The tradeoff: rotation means re-sealing. You need the cluster’s public key (which is public) and access to the plaintext secret. You commit a new SealedSecret. That’s a Git commit, which means a review, a merge, and a deploy. For a 3am incident, that’s a lot of friction.
Also: if the cluster’s private key is lost, you can’t decrypt any of your sealed secrets. Back up the private key.
Good fit for: small teams, homelab, situations where secrets change rarely and the GitOps review process is actually desirable.
Option 3: SOPS
SOPS (Secrets OPerationS) encrypts files at rest using age keys or cloud KMS. You commit encrypted files. CI decrypts them during deployment using a key it holds in memory (not stored in Git).
# Encrypt a file for Git
sops --encrypt --age age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8q \
secrets/myapp.yaml > secrets/myapp.enc.yaml
# In CI: decrypt to temp file, apply, delete
sops --decrypt secrets/myapp.enc.yaml | kubectl apply -f -
The difference from Sealed Secrets: SOPS encrypts at the file level, not the k8s object level. You can use it outside of Kubernetes (application configs, Terraform variables). The key can live in the CI environment, a cloud KMS, or a personal age key.
The tradeoff: CI needs the decryption key, which puts you back in “secret in CI” territory â just for the encryption key rather than the actual secrets. If you use a cloud KMS, OIDC federation handles that (no stored key). If you use an age key, it lives in CI secrets.
Good fit for: teams already using Helm and Helm Secrets, polyglot environments where not everything is Kubernetes, small teams where Vault feels like overengineering.
Comparison
| ESO + Vault | Sealed Secrets | SOPS | |
|---|---|---|---|
| Rotation without Git commit | Yes | No | Depends |
| Audit trail | Full (Vault) | None | Depends on KMS |
| Complexity | High | Low | Medium |
| Works outside k8s | With effort | No | Yes |
| Recovery if key lost | Vault backup | Lose all secrets | Key backup |
| CI needs secret material | No | No | Yes (decrypt key) |
What interviewers are actually testing
The interesting follow-up question is: “How do you rotate a secret without downtime?”
The answer requires you to understand that pods mount Secret objects at startup. Updating the Secret in Kubernetes doesn’t automatically restart the pod. Your options are:
- Mount the secret as a volume and have the app watch for file changes (good)
- Restart the deployment after rotation (
kubectl rollout restart, automatable) - Use a sidecar like Vault Agent Injector that handles refresh in-process (complex but zero-restart)
The correct answer depends on the app. An API key that can be rotated gradually is different from a database password where the old one is invalidated immediately.
This is part of a series on Kubernetes interview questions. Previously: deploying without cluster credentials. Next: zero-downtime deployments.