# Chapter 49: Secrets Management

Applications require credentials—database passwords, API keys, TLS certificates, and service tokens. Yet hardcoding these values violates every security principle, while poor secret management has caused major breaches (Uber, Codecov, CircleCI). This chapter moves beyond basic Kubernetes Secrets to enterprise-grade secret lifecycle management: securely injecting credentials from external vaults, automating rotation without downtime, encrypting data at rest and in transit, and maintaining GitOps workflows without exposing sensitive values. We examine the **External Secrets Operator** for cloud integration, **HashiCorp Vault** for dynamic secrets, cloud-native managers (AWS, Azure, GCP), and encryption strategies that satisfy compliance requirements while preserving developer velocity.

## 49.1 Kubernetes Secrets

Kubernetes Secrets are native resources designed to store sensitive data separately from container images and Pod specifications. However, they provide only baseline protection and significant limitations that production environments must address.

### Native Secret Types

**Opaque** (Generic):
```yaml
apiVersion: v1
kind: Secret
metadata:
  name: db-credentials
  namespace: production
type: Opaque
stringData:  # Automatically base64 encoded by API server
  username: admin
  password: SuperSecret123!
  connection-string: "postgresql://admin:SuperSecret123!@db:5432/app"
```

**TLS**:
```yaml
apiVersion: v1
kind: Secret
metadata:
  name: ingress-tls
type: kubernetes.io/tls
data:
  tls.crt: <base64-encoded-cert>
  tls.key: <base64-encoded-key>
```

**Docker Registry**:
```yaml
apiVersion: v1
kind: Secret
metadata:
  name: registry-auth
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <base64-encoded-json>
```

**Service Account Token** (Legacy - now projected volumes):
```yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: sa-token
  annotations:
    kubernetes.io/service-account.name: "my-sa"
```

### Consuming Secrets in Pods

**Environment Variables** (Convenient but risky - visible in `kubectl describe`):
```yaml
apiVersion: v1
kind: Pod
metadata:
  name: app-with-env
spec:
  containers:
  - name: app
    image: myapp:latest
    env:
    - name: DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: db-credentials
          key: password
          optional: false  # Fail if secret doesn't exist
```

**Volume Mounts** (Preferred - files with permissions):
```yaml
apiVersion: v1
kind: Pod
metadata:
  name: app-with-mount
spec:
  containers:
  - name: app
    image: myapp:latest
    volumeMounts:
    - name: secrets
      mountPath: "/etc/secrets"
      readOnly: true
  volumes:
  - name: secrets
    secret:
      secretName: db-credentials
      defaultMode: 0400  # Read-only for owner
      items:  # Optional: selective projection
      - key: password
        path: db-password.txt
```

### Limitations and Security Concerns

**Base64 is Not Encryption**:
```bash
# Anyone with API access can read secrets
kubectl get secret db-credentials -o jsonpath='{.data.password}' | base64 -d
# Output: SuperSecret123!
```

**etcd Storage**:
By default, Secrets are stored in etcd as unencrypted base64 strings. Anyone with etcd access or backup files can extract all credentials.

**RBAC Limitations**:
```yaml
# Difficult to prevent secret reading while allowing other operations
# Any user with "get secrets" in a namespace sees all secrets
```

**No Automatic Rotation**:
Kubernetes Secrets are static. Changing a secret requires updating the Secret resource and restarting Pods to pick up new environment variables (volumes update dynamically, but apps must watch files).

**GitOps Incompatibility**:
You cannot commit `Secret` manifests to Git repositories (even private ones) without exposing sensitive data, breaking GitOps workflows.

## 49.2 External Secret Managers

The **External Secrets Operator (ESO)** synchronizes secrets from external APIs (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, GCP Secret Manager, etc.) into Kubernetes Secrets automatically.

### Architecture

**Components**:
- **SecretStore**: Cluster-scoped or namespace-scoped configuration for external API authentication
- **ExternalSecret**: Resource defining what to fetch and how to synchronize
- **Webhook**: Validation and mutation

**Flow**:
1. ExternalSecret references a SecretStore
2. Controller authenticates to external provider
3. Fetches secret value
4. Creates/updates Kubernetes Secret
5. Optional: Automatic rotation detection and updates

### Installation

```bash
# Install via Helm
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets \
  --namespace external-secrets \
  --create-namespace \
  --set installCRDs=true
```

### AWS Secrets Manager Integration

**SecretStore** (IRSA - IAM Roles for Service Accounts):
```yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secrets-manager
  namespace: production
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        jwt:
          serviceAccountRef:
            name: external-secrets-sa
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: external-secrets-sa
  namespace: production
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT:role/external-secrets-role
```

**IAM Policy**:
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret"
      ],
      "Resource": "arn:aws:secretsmanager:us-east-1:ACCOUNT:secret:prod/*"
    }
  ]
}
```

**ExternalSecret**:
```yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: db-credentials
  namespace: production
spec:
  refreshInterval: 1h  # Sync frequency
  secretStoreRef:
    kind: SecretStore
    name: aws-secrets-manager
  target:
    name: db-credentials-kubernetes
    creationPolicy: Owner
    deletionPolicy: Retain  # Keep K8s secret if ExternalSecret deleted
    template:
      type: Opaque
      data:
        connection-string: "postgresql://{{ .username }}:{{ .password }}@{{ .host }}:5432/app"
  data:
  - secretKey: username
    remoteRef:
      key: prod/db/credentials  # AWS secret name
      property: username       # JSON key within secret
  - secretKey: password
    remoteRef:
      key: prod/db/credentials
      property: password
  - secretKey: host
    remoteRef:
      key: prod/db/credentials
      property: host
```

**AWS Secret Value** (JSON format):
```json
{
  "username": "app_user",
  "password": "auto-generated-secure-password",
  "host": "prod-db.cluster-xyz.us-east-1.rds.amazonaws.com"
}
```

### ClusterSecretStore (Multi-Tenant)

For secrets used across namespaces (e.g., shared certificates):

```yaml
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: global-secrets
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        jwt:
          serviceAccountRef:
            name: external-secrets-sa
            namespace: external-secrets
  conditions:
  - namespaces:
      - production
      - staging
      - "team-*"  # Regex support
```

## 49.3 Vault Integration

HashiCorp Vault provides dynamic secrets, leasing, and automatic rotation superior to static secret storage.

### Authentication Methods

**Kubernetes Auth** (Service Account verification):
```yaml
# Vault configuration (performed by Vault admin)
vault auth enable kubernetes

vault write auth/kubernetes/config \
  token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
  kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
  kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
```

**Role Configuration**:
```bash
vault write auth/kubernetes/role/app-role \
  bound_service_account_names=app-sa \
  bound_service_account_namespaces=production \
  policies=app-db-policy \
  ttl=1h
```

### Static Secrets (KV V2)

**SecretStore**:
```yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: vault-backend
spec:
  provider:
    vault:
      server: "https://vault.company.internal:8200"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "app-role"
          serviceAccountRef:
            name: app-sa
```

**ExternalSecret**:
```yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: vault-static
spec:
  refreshInterval: "5m"
  secretStoreRef:
    name: vault-backend
    kind: SecretStore
  data:
  - secretKey: db-password
    remoteRef:
      key: secret/data/prod/db  # Vault path
      property: password
```

### Dynamic Secrets (Database)

Vault generates temporary database credentials with automatic TTL:

**Vault Configuration**:
```bash
# Enable database secrets engine
vault secrets enable database

# Configure PostgreSQL connection
vault write database/config/postgres \
  plugin_name=postgresql-database-plugin \
  allowed_roles="app-role" \
  connection_url="postgresql://{{username}}:{{password}}@postgres:5432/" \
  username="vaultadmin" \
  password="vaultpass"

# Create role with SQL statements
vault write database/roles/app-role \
  db_name=postgres \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
                       GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl="1h" \
  max_ttl="24h"
```

**Application Integration** (Vault Agent Sidecar):
```yaml
apiVersion: v1
kind: Pod
metadata:
  name: app-with-vault
  annotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/role: "app-role"
    vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/app-role"
    vault.hashicorp.com/agent-inject-template-db-creds: |
      {{ with secret "database/creds/app-role" -}}
      export DB_USER="{{ .Data.username }}"
      export DB_PASS="{{ .Data.password }}"
      export DB_HOST="postgres"
      {{- end }}
    vault.hashicorp.com/agent-pre-populate-only: "true"  # Exit after initial fetch
spec:
  serviceAccountName: app-sa
  containers:
  - name: app
    image: myapp:latest
    command: ["/bin/sh", "-c"]
    args:
      - source /vault/secrets/db-creds && ./start-app.sh
```

**CSI Driver Integration** (Preferred for production):
```yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: vault-db
spec:
  provider: vault
  parameters:
    vaultAddress: "https://vault.company.internal:8200"
    roleName: "app-role"
    objects: |
      - objectName: "db-password"
        secretPath: "database/creds/app-role"
        secretKey: "password"
  secretObjects:  # Sync to Kubernetes Secret (optional)
  - secretName: vault-db-creds
    type: Opaque
    data:
    - objectName: db-password
      key: password
---
# Pod using CSI driver
apiVersion: v1
kind: Pod
metadata:
  name: app-with-csi
spec:
  containers:
  - name: app
    image: myapp:latest
    volumeMounts:
    - name: vault-vol
      mountPath: "/mnt/secrets"
      readOnly: true
  volumes:
  - name: vault-vol
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: "vault-db"
```

## 49.4 AWS Secrets Manager

Deep integration with AWS ecosystem using IAM roles and encryption.

### Creating Secrets

**Console/CLI**:
```bash
# Create secret with rotation
aws secretsmanager create-secret \
  --name prod/db/credentials \
  --secret-string '{"username":"admin","password":"changeme","host":"db.cluster-xyz.us-east-1.rds.amazonaws.com"}' \
  --kms-key-id alias/aws/secretsmanager

# Enable rotation (Lambda function)
aws secretsmanager rotate-secret \
  --secret-id prod/db/credentials \
  --rotation-lambda-arn arn:aws:lambda:us-east-1:ACCOUNT:function:SecretsManagerRotation \
  --automatically-after-days 30
```

**CloudFormation/Terraform**:
```hcl
resource "aws_secretsmanager_secret" "db" {
  name                    = "prod/db/credentials"
  description             = "Database credentials"
  kms_key_id              = aws_kms_key.secrets.arn
  recovery_window_in_days = 7
  
  replica {
    region = "us-west-2"
  }
}

resource "aws_secretsmanager_secret_version" "db" {
  secret_id = aws_secretsmanager_secret.db.id
  secret_string = jsonencode({
    username = "admin"
    password = random_password.db.result
    host     = aws_rds_cluster.db.endpoint
  })
}

# Automatic rotation
resource "aws_secretsmanager_secret_rotation" "db" {
  secret_id           = aws_secretsmanager_secret.db.id
  rotation_lambda_arn = aws_lambda_function.rotation.arn

  rotation_rules {
    automatically_after_days = 30
    schedule_expression      = "rate(30 days)"
  }
}
```

### Cross-Account Access

**Account A (Secret Owner)**:
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-B:role/external-secrets-role"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*"
    }
  ]
}
```

**Account B (EKS Cluster)**:
```yaml
# ServiceAccount with IRSA pointing to Account A
apiVersion: v1
kind: ServiceAccount
metadata:
  name: external-secrets
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT-B:role/external-secrets-role
```

## 49.5 Azure Key Vault

Integration with Azure Managed Identity and AKS.

### Managed Identity Setup

**AKS Cluster Configuration**:
```bash
# Enable OIDC issuer
az aks update \
  --name my-cluster \
  --resource-group my-rg \
  --enable-oidc-issuer \
  --enable-workload-identity

# Create managed identity
az identity create \
  --name external-secrets-identity \
  --resource-group my-rg

# Federated credential (Kubernetes service account)
az identity federated-credential create \
  --name eso-federated \
  --identity-name external-secrets-identity \
  --resource-group my-rg \
  --issuer $(az aks show --name my-cluster --resource-group my-rg --query "oidcIssuerProfile.issuerUrl" -o tsv) \
  --subject system:serviceaccount:external-secrets:external-secrets-sa
```

**Key Vault Access Policy**:
```bash
az keyvault set-policy \
  --name my-keyvault \
  --object-id $(az identity show --name external-secrets-identity --resource-group my-rg --query principalId -o tsv) \
  --secret-permissions get list
```

### External Secrets Configuration

```yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: azure-kv
spec:
  provider:
    azurekv:
      authType: WorkloadIdentity
      vaultUrl: https://my-keyvault.vault.azure.net/
      serviceAccountRef:
        name: external-secrets-sa
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: azure-secrets
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name: azure-kv
  target:
    name: kubernetes-secret
  data:
  - secretKey: db-password
    remoteRef:
      key: db-password  # Secret name in Key Vault
```

## 49.6 GitOps and Secrets

GitOps requires declaring desired state in Git, but secrets cannot be stored in repositories. Solutions include **Sealed Secrets** (encrypted) and **SOPS** (Mozilla Secrets OPerationS).

### Sealed Secrets (Bitnami)

**Workflow**:
1. Developer encrypts Secret using `kubeseal` and public certificate
2. Commits encrypted `SealedSecret` to Git
3. Controller decrypts to regular Secret in cluster

**Installation**:
```bash
# Controller
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml

# Client tool (kubeseal)
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/kubeseal-0.24.0-linux-amd64.tar.gz
```

**Usage**:
```bash
# Create secret locally (never commit this)
kubectl create secret generic db-credentials \
  --from-literal=password=SuperSecret \
  --dry-run=client -o yaml > secret.yaml

# Seal it (encrypts with cluster public key)
kubeseal --format yaml < secret.yaml > sealed-secret.yaml

# Commit sealed-secret.yaml to Git
git add sealed-secret.yaml

# Apply to cluster (controller decrypts)
kubectl apply -f sealed-secret.yaml

# Verify created
kubectl get secret db-credentials
```

**SealedSecret YAML**:
```yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: db-credentials
  namespace: production
spec:
  encryptedData:
    password: AgByA...  # Encrypted with cluster-specific key
  template:
    type: Opaque
    metadata:
      annotations:
        sealedsecrets.bitnami.com/managed: "true"
```

**Scope**:
- **Strict** (default): Name and namespace must match
- **Namespace-wide**: Any name, specific namespace
- **Cluster-wide**: Any name, any namespace (use with caution)

### Mozilla SOPS

SOPS encrypts values in YAML/JSON files using AWS KMS, GCP KMS, Azure Key Vault, or PGP.

**Configuration** (`.sops.yaml`):
```yaml
creation_rules:
  - path_regex: \.enc\.yaml$
    kms: arn:aws:kms:us-east-1:ACCOUNT:key/KEY-ID
    aws_profile: default
```

**Encrypting**:
```bash
# Original secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: db-credentials
stringData:
  password: SuperSecret

# Encrypt
sops -e -i secret.yaml  # Creates secret.yaml with encrypted values

# Rename for clarity
mv secret.yaml secret.enc.yaml
```

**Encrypted Output**:
```yaml
apiVersion: v1
kind: Secret
metadata:
  name: db-credentials
stringData:
  password: ENC[AES256_GCM,data:...,iv:...,type:str]
sops:
  kms:
    - arn: arn:aws:kms:us-east-1:ACCOUNT:key/KEY-ID
      created_at: '2024-01-15T10:00:00Z'
  lastmodified: '2024-01-15T10:00:00Z'
  version: 3.7.3
```

**Flux Integration** (GitOps):
```yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: app
spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-aws-keys  # AWS credentials for KMS
```

**KSOPS** (Kustomize plugin):
```yaml
# kustomization.yaml
generators:
  - secret-generator.yaml

# secret-generator.yaml
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  name: secret-generator
files:
  - secret.enc.yaml
```

## 49.7 Secret Rotation

Static secrets are a liability. Rotation limits blast radius of compromised credentials.

### Strategies

**Manual Rotation**:
1. Update external secret manager (Vault, AWS SM)
2. External Secrets Operator detects change
3. Updates Kubernetes Secret
4. Application must reload (restart or hot-reload)

**Automatic Rotation** (Dynamic Secrets):
- Vault database credentials with TTL
- AWS RDS IAM authentication (15-minute tokens)
- Azure Managed Identity tokens

**Zero-Downtime Rotation**:
```yaml
# Strategy: Dual secret support in app
# App accepts both OLD and NEW credentials during transition

apiVersion: batch/v1
kind: Job
metadata:
  name: rotate-secrets
spec:
  template:
    spec:
      containers:
      - name: rotator
        image: rotation-script:latest
        env:
        - name: DB_HOST
          value: postgres
        command:
        - /bin/sh
        - -c
        - |
          # 1. Generate new password in DB
          NEW_PASS=$(openssl rand -base64 32)
          psql -c "ALTER USER app WITH PASSWORD '$NEW_PASS';"
          
          # 2. Update secret manager
          aws secretsmanager put-secret-value \
            --secret-id prod/db/credentials \
            --secret-string "{\"password\":\"$NEW_PASS\"}"
          
          # 3. Wait for apps to pick up (rolling restart or hot reload)
          kubectl rollout restart deployment/app
          
          # 4. Revoke old connections (optional)
          psql -c "SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename='app' AND state='idle';"
      restartPolicy: OnFailure
```

**Certificate Rotation** (TLS):
```yaml
# cert-manager handles automatic renewal
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: app-tls
spec:
  secretName: app-tls-secret
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
  - app.company.com
  renewBefore: 720h  # 30 days before expiry
  duration: 8760h  # 1 year
```

**Hot Reload Pattern** (Application side):
```python
# Python example: Watch file for changes
import os
import signal
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandler

class SecretReloadHandler(FileSystemEventHandler):
    def on_modified(self, event):
        if event.src_path == '/etc/secrets/password':
            print("Secret changed, reloading...")
            # Reload connection pool or restart process
            os.kill(os.getpid(), signal.SIGHUP)

# Application starts with file watcher
observer = Observer()
observer.schedule(SecretReloadHandler(), '/etc/secrets')
observer.start()
```

## 49.8 Encryption at Rest and in Transit

### etcd Encryption

Enable KMS encryption for Secrets at rest:

**EncryptionConfiguration**:
```yaml
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
      - configmaps
    providers:
      - kms:
          name: myKMSPlugin
          endpoint: unix:///var/run/kmsplugin/socket.sock
          cachesize: 1000
          timeout: 3s
      - aescbc:
          keys:
            - name: key1
              secret: <base64-encoded-32-byte-key>
      - identity: {}  # Fallback: unencrypted (must be last)
```

**AWS KMS Provider**:
```yaml
# Deploy AWS Encryption Provider
containers:
- name: aws-encryption-provider
  image: aws/aws-encryption-provider:v0.0.1
  args:
    - --key=arn:aws:kms:us-east-1:ACCOUNT:key/KEY-ID
    - --region=us-east-1
    - --listen=/var/run/kmsplugin/socket.sock
  volumeMounts:
  - name: kms-socket
    mountPath: /var/run/kmsplugin
```

**Verification**:
```bash
# Check if encryption is active
kubectl get secret db-credentials -o json | \
  etcdctl get /registry/secrets/default/db-credentials | \
  hexdump -C

# Should see encrypted data, not plaintext "password"
```

### TLS in Transit

**Service Mesh** (Istio/Linkerd) provides automatic mTLS:
```yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT  # Require mutual TLS
```

**Without Service Mesh** (Application responsibility):
```yaml
# Mount TLS certs from cert-manager
apiVersion: v1
kind: Pod
metadata:
  name: secure-app
spec:
  containers:
  - name: app
    image: myapp:latest
    volumeMounts:
    - name: tls
      mountPath: /etc/tls
      readOnly: true
    env:
    - name: TLS_CERT
      value: /etc/tls/tls.crt
    - name: TLS_KEY
      value: /etc/tls/tls.key
  volumes:
  - name: tls
    secret:
      secretName: app-tls-secret
```

**Secret Encryption in Transit** (External Secrets Operator):
```yaml
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      # Uses TLS 1.2+ automatically
      # Additional CA validation:
      caProvider:
        type: ConfigMap
        name: custom-ca-bundle
        namespace: external-secrets
```

---

## Chapter Summary and Preview

This chapter established comprehensive secret management strategies for Kubernetes environments, moving beyond native Secrets—which offer no encryption by default and static lifecycle limitations—to dynamic, automated secret injection and rotation.

We examined the **External Secrets Operator** as the bridge between cloud secret managers (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) and Kubernetes, enabling automatic synchronization without storing credentials in Git. **HashiCorp Vault** integration provides dynamic database credentials with automatic TTL and leasing, eliminating long-lived passwords entirely. For GitOps workflows, **Sealed Secrets** and **Mozilla SOPS** enable encrypted secret storage in repositories, maintaining the GitOps single-source-of-truth principle while protecting sensitive values.

Secret rotation strategies must minimize downtime through dual-credential support or hot-reload patterns, while **encryption at rest** via KMS providers ensures that even etcd backups remain protected. **Certificate rotation** via cert-manager automates TLS lifecycle management.

**Key Takeaways:**
- Never commit unencrypted secrets to Git; use Sealed Secrets or SOPS for GitOps, or External Secrets for external vault integration.
- Prefer dynamic secrets (Vault database credentials, IAM database authentication) over static passwords to eliminate rotation complexity.
- Enable etcd encryption with KMS providers; base64 is not encryption, and etcd backups contain all cluster secrets in plaintext without it.
- Use workload identity (IRSA, Workload Identity) rather than long-lived cloud credentials for External Secrets Operator authentication.
- Implement hot-reload patterns in applications or use sidecar patterns to avoid Pod restarts during secret rotation.
- Rotate certificates automatically via cert-manager with appropriate `renewBefore` windows to prevent expiry-related outages.

**Security Culture:** Secrets are temporary, not permanent. Design systems where credentials have minimal lifetime, automatic rotation is seamless, and compromise of any single secret does not cascade into system-wide access.

**Next Chapter Preview:** Chapter 50: Compliance and Governance addresses the regulatory and organizational requirements that govern CI/CD practices. We will explore **SOC 2**, **PCI-DSS**, **HIPAA**, and **GDPR** implications for containerized workloads, implementing **audit trails** for every pipeline execution and deployment decision, **policy enforcement** through Open Policy Agent (OPA) and Kyverno for resource constraints, **approval workflows** for production deployments, **change management** integration with ITSM tools, and automated **compliance reporting** that transforms security from a manual audit burden into a continuous, verifiable system property. We will examine how to maintain velocity while satisfying auditors through automated evidence collection and infrastructure-as-code compliance controls.