@knelasevero
Great Video! PushSecrets are being developed and will soon be available! Aiming for next release, or the one after that :)
@ws_stelzi79
"If you have a problem, if no one else can help, and if you can find them, maybe you can hire the A-Team." and now you have got me the title theme of the A-Team stuck in my head! 😉🤔
@vladoportos
Very nice, I just deployed vault to my cluster, this came like on call :D
@kemibrianolimba682
Great explanation Victor...Keep it up
@mtik000
I definitely love our external-secrets integration with Hashicorp Vault. It makes management much easier, as long as you have a single source-of-truth. It takes some getting used to, but always create/manage secrets in the external store and sync them using external-secrets. Next up: creating an operator to restart pods when a DB secret changes!
@RafaelDurelli
Your vids are the best ... I always learn a lot from your channel.. Thanks for sharing your knowledge :D
@ZoisPag
At this moment I want to bring to your attention Doppler. (Not affiliated anyhow) It is a Secret Store (SaaS) which as a service is pretty good and feature-complete. It has a great web UI, straightforward CLI, and integration with many services. Now, Doppler has its own Kubernetes operator that does what external secrets do. You create one k8s secret with access token to Doppler and then a DopplerSecret which creates a k8s Secret. When I make a change to a secret in Doppler, it propagates immediately. On top, it has support for restarting deployments that are referencing secrets that were modified by adding one annotation. No need for Stakater/Reloader. That being said, there’s are 3 cons I find with external secrets, compared to Sealed Secrets: 1. GitOps framework is “violated” by not being able to follow secrets stored in External Password Stores. That means there will be 2 sources of truth (git repo + Secret Store, etc) that need to be compared in conjunction to understand when some change happens to the cluster. 2. In k8s manifests files, the k8s-native secret is not created as a resource (by us). I found the lack of support of secrets in k8s tools (like the k8s plugin in Intellij) annoying, since it will not recognize the secret that the Custom Secret resource is creating. It will mark it with a squiggly line. 3. Finally, you have no way to know what kind of secrets (which keys) are stored in an external secret, without looking at it inside the cluster. Like in your video, where you have username, host, password, port. When writing your manifests, you will have to go either in your Secret Store or use kubectl to find out what exists. Long text!! Sorry! 😅
@RNeck-k8s
You save my project, thank you so much!
@strathausen
Thanks!
@sebapinery
I love to use Doppler to store my secrets and use Doppler CLI on pipelines for manage and use them :)
@OddBallTrails
Thanks, that was helpful!
@softwareasafun
Thanks
@danielmilanov7417
The 'I'm not touching my cluster' frame is meme-worthy. Just saying.. ;) Anyhow, akuity recently did a webinar on the subject of gitops-friendly secrets management, and the external secrets operator does seem to be the "best" option. Argocd has some plugins too.
@pier_x0
now with PushSecret you can store secrets in the secret manager.
@DerJoe92
Victor, did you already consider a video on (cloud provider agnostic) secret stores? I would really love to see one from you since you are focusing on K8s and just do awesome content <3 I'm using Vault (with eso for syncing) right now, it works well but it seems like rocket science and it is painfully not Kubernetes-native :(
@lucian1094
I still mess up things with Vault :)), I hope I will master it in one day
@mohamedsamet4539
Thank you very much for the explanation. It seems to be a reverse crossplane for secrets 😅..
@dzisonline
Just watching 2 years after publishing…. Seems like they support push now.
@joanadeluca6761
How do you manage your secrets nowadays? Is ESO still your preference over Sealed Secrets?
@DevOpsToolkit