Skip to content

Banner image Banner image

Secrets & GitOps: ArgoCD + External Secrets Done Right

What was getting in the way

GitOps worked - until secrets showed up. Teams either committed secrets or blocked releases.

What we actually wanted

A GitOps flow that keeps secrets outside of Git and still automates deployments.

How we approached it

External secrets context External secrets context Guardrails flow Guardrails flow

The Secure Pattern

  • Git holds ExternalSecret manifests only
  • ESO pulls from Vault/SSM/Secrets Manager
  • ArgoCD syncs manifests, ESO resolves secrets

Files worth opening

  • repo/gitops/secrets/secretstore.yaml
  • repo/gitops/secrets/externalsecret.yaml

What changed in practice

Teams can ship GitOps changes without ever touching sensitive data. Security teams gain control without blocking delivery.