Published: 2026-06-01 โ€ข Updated: 2026-07-05

Integrating HashiCorp Vault with ArgoCD: Enterprise GitOps Secret Management

In a pure GitOps delivery pipeline, Git is the single source of truth for all infrastructure and application states. However, this core principle introduces a critical security challenge: how do you manage sensitive data like database credentials, API keys, and TLS certificates without committing plaintext secrets to public or private Git repositories? Committing raw secrets to Git is an anti-pattern that violates compliance standards (such as PCI-DSS, SOC2, and HIPAA) and exposes organizations to catastrophic credential leaks.

To solve this dilemma, enterprise platforms pair ArgoCD with HashiCorp Vault, the industry-standard secrets management engine. This integration ensures that your Git repositories contain only non-sensitive configuration references, while the actual secrets are dynamically injected, decrypted, or synchronized at runtime inside your Kubernetes clusters.

This comprehensive guide provides an in-depth, hands-on masterclass on integrating HashiCorp Vault with ArgoCD. We will explore the architectural patterns, step-by-step implementations, enterprise security configurations, and operational playbooks required to run a secure, high-scale GitOps secrets pipeline.

What You Will Learn

  • The core engineering trade-offs between different Vault-ArgoCD integration patterns.
  • How to configure Vault Kubernetes Authentication for secure, passwordless access.
  • How to implement the External Secrets Operator (ESO) pattern for native Kubernetes secret synchronization.
  • How to configure the Argo CD Vault Plugin (AVP) using modern ConfigManagementPlugins (CMP) sidecars.
  • How to design a secure, multi-tenant secret architecture that prevents cross-namespace data access.
  • Production monitoring, auditing, troubleshooting, and disaster recovery strategies.

Prerequisites & System Requirements

To follow the implementation steps in this guide, you will need:

  • A running Kubernetes cluster (v1.26 or higher) with administrative privileges.
  • ArgoCD (v2.8 or higher) installed in the argocd namespace. Learn how to set this up in our Enterprise ArgoCD Installation Guide.
  • The HashiCorp Vault CLI and Helm installed on your local workstation.
  • An active HashiCorp Vault instance (either self-hosted in-cluster, external enterprise, or HCP Vault) accessible from your Kubernetes cluster.

Vault & ArgoCD Integration Patterns

When designing a GitOps pipeline with Vault, there are three primary architectural patterns. Each has distinct advantages, operational profiles, and security boundaries. Let's analyze them in detail.

1. External Secrets Operator (ESO) Pattern

The External Secrets Operator (ESO) is a Kubernetes operator that runs inside your cluster and continuously polls external APIs (like HashiCorp Vault) to synchronize secrets into native Kubernetes Secret resources.

In this model, ArgoCD does not interact with Vault directly. Instead, ArgoCD deploys custom resources defined by ESO (such as SecretStore and ExternalSecret). The ESO controller reads these resources, authenticates with Vault, retrieves the secrets, and creates standard Kubernetes Secret objects.

+------------+       Deploys Manifests       +---------+
|    Git     | ----------------------------> |  ArgoCD |
+------------+                               +---------+
      |                                           |
      | (ExternalSecret &                         | Deploys K8s
      |  SecretStore CRDs)                        | Resources
      |                                           v
      |                                      +---------+
      +-------------------------------------> | Cluster |
                                             +---------+
                                                  |
     +--------------------------------------------+
     | (Triggers ESO Controller)
     v
+---------------------------+  Fetches Secret  +-------------------+
| External Secrets Operator | ---------------> | HashiCorp Vault   |
+---------------------------+                  +-------------------+
     |
     | Generates & Syncs
     v
+---------------------------+
| Native K8s Secret Object  |
+---------------------------+
    

2. Argo CD Vault Plugin (AVP) Pattern

The Argo CD Vault Plugin (AVP) is a ConfigManagementPlugin (CMP) that runs as a sidecar container inside the argocd-repo-server pod. When ArgoCD retrieves manifests from Git, it passes them through AVP.

AVP scans the manifests for specific placeholders (e.g., <path:secret/data/db#password>), connects directly to Vault, retrieves the plaintext values, replaces the placeholders in memory, and outputs standard Kubernetes manifests to the ArgoCD application controller. Plaintext secrets are never committed to Git and are only written to the target Kubernetes cluster during deployment.

+------------+  Fetches Manifests  +-------------------------+
|    Git     | ------------------> |   argocd-repo-server    |
+------------+                     |                         |
                                   |  +--------------------+ |
                                   |  |  Argo CD Vault     | |
                                   |  |  Plugin (AVP)      | |
                                   |  +--------------------+ |
                                   +-------------------------+
                                                |
                                                | 1. Authenticates &
                                                |    Retrieves Secrets
                                                v
                                   +-------------------------+
                                   |    HashiCorp Vault      |
                                   +-------------------------+
                                                |
                                                | 2. Replaces Placeholders
                                                |    In-Memory
                                                v
                                   +-------------------------+
                                   | Deploys Fully Rendered  |
                                   | Manifests to K8s API    |
                                   +-------------------------+
    

3. Vault Agent Injector Pattern

The Vault Agent Injector uses a Kubernetes mutating webhook to inject a Vault Agent sidecar container into your application pods at runtime.

In this model, ArgoCD has no awareness of Vault, and no Kubernetes Secret objects are created in the cluster. Instead, you annotate your application's deployment manifests with Vault-specific annotations. When the pod starts, the Vault Agent sidecar authenticates with Vault, retrieves the secrets, and writes them to a shared memory volume (e.g., /vault/secrets/config) accessible by the application container.

Comparison of Vault-ArgoCD Integration Patterns

Feature / Metric External Secrets Operator (ESO) Argo CD Vault Plugin (AVP) Vault Agent Injector
ArgoCD Coupling None (Decoupled) High (Runs inside repo-server) None (Decoupled)
Kubernetes Secrets Yes (Created & Managed) Yes (Created & Managed) No (Stored in-memory in Pod)
Secret Rotation Automatic (Polling interval) On-demand (ArgoCD Sync trigger) Dynamic (Reactive to Vault TTL)
GitOps Drift Detection Fully Supported Supported with custom diffs Not Applicable (No K8s Secrets)
Multi-Tenancy Isolation Excellent (Namespaced CRDs) Complex (Shared repo-server) Excellent (Pod ServiceAccounts)
Performance Overhead Low (Asynchronous polling) Medium (Slower manifest rendering) Low (Slightly longer pod startup)

Setting Up Vault Kubernetes Authentication

Before either ArgoCD or the External Secrets Operator can retrieve secrets from Vault, they must authenticate securely. The industry best practice is to use the Vault Kubernetes Authentication Method. This method allows clients to authenticate with Vault using native Kubernetes ServiceAccount tokens, eliminating the need to manage static credentials or bootstrap tokens.

Step 1: Enable Kubernetes Authentication in Vault

Execute the following commands inside your Vault environment (or via your Vault administrative pod) to enable and configure the Kubernetes auth engine:

# Enable the Kubernetes authentication method
vault auth enable kubernetes

# Configure Vault to read the local Kubernetes API configuration
# Vault uses the local ServiceAccount token and CA cert of its own pod to talk to the K8s API
vault write auth/kubernetes/config \
    kubernetes_host="https://kubernetes.default.svc:443"

Step 2: Define Least-Privilege Policies

We will create two distinct policies: one for the External Secrets Operator and one for ArgoCD Vault Plugin. Save the following HCL configurations to your local machine.

eso-policy.hcl (Allows read access to application secrets):

# Permit read-only access to paths under secret/data/apps/
path "secret/data/apps/*" {
  capabilities = ["read"]
}

# Vault KV v2 engine metadata access
path "secret/metadata/apps/*" {
  capabilities = ["read", "list"]
}

Write this policy to Vault:

vault policy write enterprise-apps-policy eso-policy.hcl

Step 3: Create Vault Roles for ServiceAccounts

Now, bind the Kubernetes ServiceAccounts to the Vault policies. This ensures that only specific pods running with authorized ServiceAccounts can assume the defined roles and retrieve secrets.

For the External Secrets Operator running in the external-secrets namespace:

vault write auth/kubernetes/role/eso-role \
    bound_service_account_names=external-secrets \
    bound_service_account_namespaces=external-secrets \
    policies=enterprise-apps-policy \
    ttl=1h

For the ArgoCD repo-server running in the argocd namespace:

vault write auth/kubernetes/role/argocd-repo-role \
    bound_service_account_names=argocd-repo-server \
    bound_service_account_namespaces=argocd \
    policies=enterprise-apps-policy \
    ttl=15m

Deep Dive: Integrating via External Secrets Operator (ESO)

The External Secrets Operator (ESO) is highly recommended for enterprise deployments due to its strong decoupling, ease of multi-tenancy configuration, and native Kubernetes resource engine integration.

Step 1: Install the External Secrets Operator

We will deploy the External Secrets Operator using Helm. To adhere to GitOps principles, define an ArgoCD Application manifest that deploys the operator.

Create a file named eso-application.yaml:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: external-secrets-operator
  namespace: argocd
spec:
  project: default
  source:
    chart: external-secrets
    repoURL: https://charts.external-secrets.io
    targetRevision: 0.9.11
    helm:
      parameters:
        - name: installCRDs
          value: "true"
  destination:
    server: https://kubernetes.default.svc
    namespace: external-secrets
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    createNamespace: true

Apply this application configuration via kubectl to deploy the operator:

kubectl apply -f eso-application.yaml

Step 2: Configure the ClusterSecretStore

A ClusterSecretStore is a cluster-scoped resource that defines how to connect and authenticate with HashiCorp Vault. It can be shared across all namespaces in the cluster.

Create a manifest named vault-cluster-store.yaml:

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault-backend
spec:
  provider:
    vault:
      server: "http://vault.vault.svc.cluster.local:8200"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          # Path where the Kubernetes auth method is enabled in Vault
          mountPath: "kubernetes"
          # The Vault role we created in the previous section
          role: "eso-role"
          # ServiceAccount used by the ESO controller to authenticate
          serviceAccountRef:
            name: "external-secrets"
            namespace: "external-secrets"

Apply the store configuration:

kubectl apply -f vault-cluster-store.yaml

Step 3: Define the ExternalSecret Resource

With the ClusterSecretStore configured, developers can now define ExternalSecret resources in their application namespaces. These resources map keys inside HashiCorp Vault directly to native Kubernetes Secrets.

Let's assume we have a database secret stored in Vault at secret/data/apps/payment-service/db with the keys username and password.

Create a file named payment-db-externalsecret.yaml:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: payment-db-secret
  namespace: payment-prod
spec:
  refreshInterval: "1h" # How often ESO polls Vault for updates
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: payment-db-credentials # Name of the K8s Secret to be created
    creationPolicy: Owner
    template:
      type: Opaque
      metadata:
        labels:
          app.kubernetes.io/managed-by: external-secrets
      data:
        # Construct custom connection string dynamically using templates
        DB_CONN_STRING: "postgresql://{{ .user }}:{{ .pass }}@postgres-service.payment-prod.svc.cluster.local:5432/payment_db?sslmode=require"
  data:
    - secretKey: user
      remoteRef:
        key: apps/payment-service/db
        property: username
    - secretKey: pass
      remoteRef:
        key: apps/payment-service/db
        property: password

When this manifest is synced by ArgoCD, the External Secrets Operator will intercept the resource, query Vault, create a standard Kubernetes Secret named payment-db-credentials, and inject the decrypted values.


Deep Dive: Integrating via Argo CD Vault Plugin (AVP)

For organizations that do not want Kubernetes Secrets stored persistently in etcd (even if encrypted), or prefer a direct integration into the manifest rendering lifecycle, the Argo CD Vault Plugin (AVP) is the optimal solution.

In modern versions of ArgoCD (v2.x+), ConfigManagementPlugins (CMPs) must be run as sidecar containers within the argocd-repo-server pod. This is a significant security improvement over old methods that mounted plugins directly into the main container.

Step 1: Patching ArgoCD Repo-Server with AVP Sidecar

We need to configure the argocd-repo-server deployment to run the AVP container sidecar. Create a patch file named argocd-repo-server-patch.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: argocd-repo-server
  namespace: argocd
spec:
  template:
    spec:
      containers:
        - name: avp
          image: registry.access.redhat.com/ubi8/ubi-minimal:latest
          command: [/var/run/argocd/argocd-cmp-server]
          securityContext:
            runAsNonRoot: true
            runAsUser: 999
          volumeMounts:
            - mountPath: /var/run/argocd
              name: var-files
            - mountPath: /home/argocd
              name: plugins
            # Mount the plugin configuration file
            - mountPath: /home/argocd/cmp-server/config
              name: avp-config
          env:
            - name: VAULT_ADDR
              value: "http://vault.vault.svc.cluster.local:8200"
            - name: AVP_TYPE
              value: "vault"
            - name: AVP_AUTH_TYPE
              value: "k8s"
            - name: AVP_K8S_ROLE
              value: "argocd-repo-role"
      volumes:
        - name: plugins
          emptyDir: {}
        - name: avp-config
          configMap:
            name: argocd-vault-plugin-config

Step 2: Create the Plugin Configuration Map

Define the CMP configuration that tells ArgoCD how to identify files that require AVP processing and how to execute the manifest rendering. Create a file named avp-plugin-configmap.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-vault-plugin-config
  namespace: argocd
data:
  plugin.yaml: |
    apiVersion: argoproj.io/v1alpha1
    kind: ConfigManagementPlugin
    metadata:
      name: argocd-vault-plugin
    spec:
      version: v1.0
      generate:
        # Download and run the AVP binary to parse the manifests
        command: ["sh", "-c"]
        args:
          - |
            # Download AVP if it doesn't exist in the shared emptyDir volume
            if [ ! -f /home/argocd/argocd-vault-plugin ]; then
              curl -L -o /home/argocd/argocd-vault-plugin https://github.com/argoproj-labs/argocd-vault-plugin/releases/download/v1.17.0/argocd-vault-plugin_1.17.0_linux_amd64
              chmod +x /home/argocd/argocd-vault-plugin
            fi
            # Execute AVP on the generated YAML files
            /home/argocd/argocd-vault-plugin generate .
      discover:
        # Look for files with specific placeholders or configuration
        find:
          glob: "**/*.yaml"

Apply the ConfigMap and the patch to your cluster:

kubectl apply -f avp-plugin-configmap.yaml
kubectl patch deployment argocd-repo-server -n argocd --patch-file argocd-repo-server-patch.yaml

Step 3: Define GitOps Manifests with AVP Placeholders

When using AVP, your YAML manifests stored in Git contain placeholders that point to the Vault secret paths.

Here is an example of an application's Secret manifest stored in your Git repository (e.g., templates/db-secret.yaml):

apiVersion: v1
kind: Secret
metadata:
  name: dynamic-db-secret
  namespace: application-prod
  annotations:
    # This annotation tells AVP to process this file
    avp.kubernetes.io/path: "secret/data/apps/payment-service/db"
type: Opaque
stringData:
  # The placeholders are replaced with actual values during ArgoCD sync
  DB_USER: "<username>"
  DB_PASS: "<password>"

Step 4: Create the ArgoCD Application with AVP

To force ArgoCD to use our custom AVP sidecar plugin when rendering this application, specify the plugin name in the Application manifest:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: payment-app-avp
  namespace: argocd
spec:
  project: default
  source:
    repoURL: 'https://github.com/enterprise-org/payment-gitops-repo.git'
    targetRevision: HEAD
    path: 'deployments/prod'
    # Specify the plugin defined in our ConfigMap
    plugin:
      name: argocd-vault-plugin
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: application-prod
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

Enterprise Security & Multi-Tenancy Hardening

Integrating Vault with ArgoCD introduces serious security responsibilities. If configured poorly, a single application team could leverage the ArgoCD pipeline to read secrets belonging to other business units. Apply the following enterprise hardening guidelines strictly.

1. Multi-Tenant Namespace Isolation using ArgoCD AppProjects

Do not deploy all applications under the default ArgoCD Project. Instead, define distinct AppProject resources for each tenant team and restrict the target namespaces they can deploy to.

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: retail-banking-team
  namespace: argocd
spec:
  description: "Deployment project for Retail Banking division"
  sourceRepos:
    - "https://github.com/enterprise-org/retail-banking-*.git"
  destinations:
    # Restrict this team strictly to their designated namespaces
    - namespace: retail-banking-prod
      server: https://kubernetes.default.svc
    - namespace: retail-banking-stage
      server: https://kubernetes.default.svc
  clusterResourceWhitelist:
    - group: ''
      kind: Namespace
  # Deny deployment of sensitive cluster-wide resources
  clusterResourceBlacklist:
    - group: '*'
      kind: ClusterRole
    - group: '*'
      kind: ClusterRoleBinding

2. Leverage Vault Namespaces

If you are using HashiCorp Vault Enterprise or HCP Vault, utilize Vault Namespaces to achieve complete cryptographic and administrative isolation between business units.

  • Create a Vault Namespace for each major business unit (e.g., vault namespace create finance).
  • Configure the Kubernetes Auth method within that specific Vault namespace.
  • Update the External Secrets ClusterSecretStore or AVP environment variables to point to the correct namespace using the X-Vault-Namespace header or configuration parameter.

3. Network Policies for Network Segmentation

Restrict network communication between your pods and Vault. Only authorized pods (such as the argocd-repo-server or the external-secrets controller) should be allowed to send network traffic to the Vault port (default 8200).

Example NetworkPolicy to restrict Vault access:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-vault-access
  namespace: vault
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: vault
  policyTypes:
    - Ingress
  ingress:
    - from:
        # Allow traffic from External Secrets Operator Namespace
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: external-secrets
        # Allow traffic from ArgoCD Namespace
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: argocd
      ports:
        - protocol: TCP
          port: 8200

Monitoring, Observability, & Operational Runbooks

A broken secrets integration will halt your entire continuous deployment pipeline. You must monitor the health of the Vault-ArgoCD connection proactively.

Key Prometheus Metrics for External Secrets Operator

The External Secrets Operator exposes a Prometheus metrics endpoint by default. Configure your Prometheus Operator to scrape these crucial metrics:

  • external_secrets_sync_calls_total: Total number of sync requests to Vault. Monitor for steep changes.
  • external_secrets_status_condition: Indicates the health status of individual ExternalSecrets. A value of 0 indicates a failing sync.
  • external_secrets_api_request_duration_seconds: Measures Vault API latency. Spikes indicate network degradation or Vault performance issues.

Prometheus Alerting Rules

Set up the following Prometheus alerts to notify your platform engineering team immediately when secret synchronization fails:

groups:
  - name: external-secrets-alerts
    rules:
      - alert: ExternalSecretSyncFailed
        expr: external_secrets_status_condition{status="False", condition="Ready"} == 1
        for: 5m
        labels:
          severity: critical
        annotations:
          summary: "ExternalSecret synchronization failed for {{ $labels.name }}"
          description: "The ExternalSecret {{ $labels.name }} in namespace {{ $labels.namespace }} has failed to sync with HashiCorp Vault for more than 5 minutes."

Troubleshooting & Debugging Playbook

When secrets fail to sync, use this systematic runbook to pinpoint and resolve the issue.

Scenario 1: Vault returns "Permission Denied" (403)

Symptom: The External Secrets Operator logs show "Vault login failed: Error making API request... Code: 403", or ArgoCD Vault Plugin fails to render manifests with permission errors.

Resolution Steps:

  1. Verify the ServiceAccount exists in the target namespace and is correctly bound to the pod.
    kubectl get serviceaccount -n external-secrets external-secrets -o yaml
  2. Inspect the token payload to ensure it contains the correct issuer and namespace claims.
  3. Check the Vault Kubernetes auth role configuration. Ensure the bound_service_account_names and bound_service_account_namespaces match your cluster setup exactly.
    vault read auth/kubernetes/role/eso-role
  4. Verify the Vault policy has read permissions for the exact secret engine path. Remember that for Key-Value v2 engines, the path must include the /data/ prefix (e.g., secret/data/apps/* instead of secret/apps/*).

Scenario 2: ArgoCD App fails with "ConfigManagementPlugin not found"

Symptom: ArgoCD Application displays a degraded state with the error: "failed to resolve... CMP 'argocd-vault-plugin' not found".

Resolution Steps:

  1. Check the logs of your argocd-repo-server deployment to see if the sidecar container started successfully.
    kubectl logs -n argocd deployment/argocd-repo-server -c avp
  2. Ensure the plugin.yaml file is mounted correctly inside the sidecar container at /home/argocd/cmp-server/config/plugin.yaml.
    kubectl exec -n argocd -it deployment/argocd-repo-server -c avp -- cat /home/argocd/cmp-server/config/plugin.yaml
  3. Verify the name in the plugin.yaml matches the name defined in the Application resource's plugin parameter exactly.

Scenario 3: Secret rotated in Vault but not updating in Kubernetes

Symptom: You updated a secret key inside Vault, but the application pod is still running with the old value.

Resolution Steps:

  1. For the External Secrets Operator: Check the refreshInterval in your ExternalSecret manifest. If set too high (e.g., 24h), the change will not propagate immediately. You can force an immediate sync by adding a dummy annotation to trigger a reconciliation:
    kubectl annotate externalsecret payment-db-secret force-sync=$(date +%s) --overwrite -n payment-prod
  2. For the Argo CD Vault Plugin: AVP only replaces placeholders during the manifest generation phase of an ArgoCD Sync event. You must trigger a hard refresh and manual Sync in ArgoCD to fetch the latest values from Vault.
  3. Verify if your application container is caching the secret. If the secret is mounted as an environment variable, the application must be restarted to read the new value. We recommend using tools like Reloader to automatically trigger rolling restarts of deployments when associated Secrets change.

Enterprise Interview Questions & Answers

Q1: Explain the security implications of using Argo CD Vault Plugin (AVP) versus External Secrets Operator (ESO).

Answer: The core security differences lie in where decryption occurs and how secrets are stored.

With AVP, decryption happens in memory on the argocd-repo-server pod during manifest generation. The plaintext secrets are then written directly to the target Kubernetes cluster API. While secrets are never stored in Git, they are stored as standard Kubernetes Secrets in the cluster database (etcd). The risk is that the argocd-repo-server requires high-level access to Vault, meaning any vulnerability or compromise of the repo-server could expose all secrets for all applications.

With ESO, decryption is handled by a dedicated controller running inside the target cluster. ArgoCD only manages non-sensitive custom resources (ExternalSecret). This provides excellent separation of concerns: ArgoCD has zero access to Vault, and Vault access is distributed down to individual namespaces or controlled via a secure, audited cluster operator. This makes ESO much safer for multi-tenant, zero-trust enterprise platforms.

Q2: How does the Vault Kubernetes Auth Method validate the authenticity of a client ServiceAccount token?

Answer: When a client pod authenticates, it sends its local JSON Web Token (JWT) ServiceAccount token to Vault via the /v1/auth/kubernetes/login endpoint.

Vault takes this token and queries the Kubernetes API TokenReview endpoint (/apis/authentication.k8s.io/v1/tokenreviews). The Kubernetes API validates the token's signature, expiry, and metadata, and returns the authenticated ServiceAccount name and namespace back to Vault. If valid, Vault checks its internal role mapping to see if that ServiceAccount is authorized to assume the requested role, and then issues a Vault Token with policies tied to that role.

Q3: How do you handle Vault API rate-limiting and performance bottlenecks in a large-scale cluster with thousands of secrets?

Answer: To prevent overloading Vault, we must implement several optimization layers:

  • Adjust Polling Intervals: Increase the refreshInterval of ExternalSecret resources to reasonable times (e.g., 1 hour instead of 10 seconds).
  • Vault Agent Caching: Use local Vault Agent sidecars or local caching proxies to cache tokens and secrets, reducing direct read requests to the Vault backend.
  • Resource Batches: Consolidate multiple secret keys into a single Vault secret path and fetch them in a single API call rather than making individual calls for every single variable.
  • Vault Scaling: Ensure Vault is configured in a High Availability (HA) cluster with performance secondary read replicas to distribute read traffic away from the active primary node.

Frequently Asked Questions (FAQs)

Can I use both External Secrets Operator and Argo CD Vault Plugin together?

Yes, but it is generally an anti-pattern. Using both increases cognitive load, complicates troubleshooting, and fragments your secrets management strategy. It is highly recommended to standardize on one pattern across the entire organization.

Is it safe to store Kubernetes Secret manifests in Git if they are encrypted?

While tools like Mozilla SOPS or Sealed Secrets allow you to commit encrypted secrets to Git, it is generally discouraged in large enterprises. Key rotation is painful, access control is governed by Git access rather than dynamic IAM/

About the Author

Naresh Kumar

Naresh Kumar

Senior Java Backend Engineer experienced in Banking, Payments, ISO 20022, Spring Boot, Microservices, Kafka, Docker, Kubernetes, AWS and Cloud Native Systems.

Built enterprise payment solutions, transaction processing systems, API platforms and scalable microservices used in production.

LinkedIn Profile