argocd

This is part of the Vault + Kubernetes Integration Guide. Return to the main guide for the full architecture overview. The ArgoCD Vault Plugin (AVP) bridges the gap between GitOps and secrets management. It processes your Kubernetes manifests at sync time, replacing placeholder tokens with real values from Vault — so you never commit actual secrets to Git. The Problem AVP Solves WITHOUT AVP: ┌──────────┐ ┌─────────────┐ │ Git │ ❌ Real secrets │ Kubernetes │ │ │──────────────────►│ │ │ │ committed to Git │ │ └──────────┘ └─────────────┘ WITH AVP: ┌──────────┐ Placeholders ┌──────────┐ Resolved ┌─────────────┐ │ Git │──────────────►│ ArgoCD │──────────►│ Kubernetes │ │ <secret> │ │ + AVP │ │ (real vals) │ └──────────┘ └────┬─────┘ └─────────────┘ │ ┌────▼─────┐ │ Vault │ └──────────┘ Installation Method 1: InitContainer (Recommended) Patch the argocd-repo-server to download AVP at startup:...

Managing secrets in Kubernetes is one of those challenges that every platform team eventually faces. Base64-encoded Kubernetes Secrets stored in etcd are not encryption — they’re encoding. If you’re running anything beyond a hobby cluster, you need a proper secrets management solution. This guide is your one-stop reference for HashiCorp Vault + Kubernetes. It covers the architecture, compares every integration method, and links to detailed implementation guides for each approach....