--- menu: learn: parent: Secrets title: Secrets management in the Validated Patterns framework weight: 61 aliases: /secrets/secrets-management-in-the-Validated-Patterns-framework/ --- :toc: :_content-type: ASSEMBLY include::modules/comm-attributes.adoc[] [id="secrets-management-in-the-Validated-Patterns-framework"] = Overview of secrets management Secrets management is a critical aspect of software development, especially when dealing with sensitive information such as passwords, API keys, and tokens. In the context of GitOps, where the state of an application is stored in a Git repository, managing secrets requires careful handling to avoid exposing sensitive information. Managing secrets in values files involves securely handling this sensitive information within configuration files, ensuring that these secrets are safely stored and managed, thereby reducing the risk of exposure or unauthorized access. *Recommended Practices* * *Avoid committing secrets to Git repositories*: Never store secrets directly in Git repositories, including private ones, as they can be accidentally exposed or accessed by unauthorized users. If secrets are committed, they should be considered compromised and rotated immediately. * *Use secret references*: Instead of storing actual secret values in configuration files, store references to those secrets. This method is supported by major secret management solutions like HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault. Applications can fetch the secrets securely at runtime using these references. * *Encrypt secrets at rest*: Always encrypt secrets wherever they are stored. This includes encrypting files on local machines, using encrypted storage solutions, and leveraging built-in encryption mechanisms provided by secret management tools. Ansible, for example, supports encryption of files at rest with tools like ansible-vault. * *Use external secret management tools*: Use external tools like the External Secrets Operator (ESO) to manage secrets outside of the application's core configuration. This reduces the risk of accidental exposure and ensures a more secure secret management process. include::modules/basic-secrets-configuration-in-a-clustergroup.adoc[leveloffset=+1] include::modules/secret-store-configuration-in-a-clustergroup.adoc[leveloffset=+1] include::modules/letsencrypt-secrets-configuration-in-a-clustergroup.adoc[leveloffset=+1]