gitops

This is part of the Vault + Kubernetes Integration Guide. Return to the main guide for the full architecture overview. The ArgoCD Vault Plugin (AVP) bridges the gap between GitOps and secrets management. It processes your Kubernetes manifests at sync time, replacing placeholder tokens with real values from Vault — so you never commit actual secrets to Git. The Problem AVP Solves WITHOUT AVP: ┌──────────┐ ┌─────────────┐ │ Git │ ❌ Real secrets │ Kubernetes │ │ │──────────────────►│ │ │ │ committed to Git │ │ └──────────┘ └─────────────┘ WITH AVP: ┌──────────┐ Placeholders ┌──────────┐ Resolved ┌─────────────┐ │ Git │──────────────►│ ArgoCD │──────────►│ Kubernetes │ │ <secret> │ │ + AVP │ │ (real vals) │ └──────────┘ └────┬─────┘ └─────────────┘ │ ┌────▼─────┐ │ Vault │ └──────────┘ Installation Method 1: InitContainer (Recommended) Patch the argocd-repo-server to download AVP at startup:...

This is part of the Vault + Kubernetes Integration Guide. Return to the main guide for the full architecture overview. The Vault Secrets Operator (VSO) is HashiCorp’s latest and most Kubernetes-native approach to secrets management. It uses Custom Resource Definitions (CRDs) to declaratively define what secrets to sync — making it a perfect fit for GitOps workflows. Why VSO Over Agent Injector? Feature Agent Injector VSO Architecture Sidecar per pod Single controller Resource overhead High (per-pod) Minimal (controller only) Configuration Annotations (imperative) CRDs (declarative) GitOps friendly ⚠️ Limited ✅ Fully declarative Auto rollout restart ❌ Manual ✅ Built-in Dynamic secrets ✅ Via sidecar ✅ Via operator reconciliation Secrets in etcd ❌ tmpfs only ✅ Synced to K8s Secret Installation helm repo add hashicorp https://helm....