Secrets & GitOps: ArgoCD + External Secrets Done Right

The Problem We Had

GitOps worked—until secrets showed up. Teams either committed secrets or blocked releases.

The Outcome We Wanted

A GitOps flow that keeps secrets outside of Git and still automates deployments.

The Blueprint

The Secure Pattern

• Git holds ExternalSecret manifests only
• ESO pulls from Vault/SSM/Secrets Manager
• ArgoCD syncs manifests, ESO resolves secrets

Walkthrough Files

• repo/gitops/secrets/secretstore.yaml
• repo/gitops/secrets/externalsecret.yaml

What Changed

Teams can ship GitOps changes without ever touching sensitive data. Security teams gain control without blocking delivery.