Secret management
Reading secrets
Kratix workflows run in Kubernetes and use the native Secret model. If a
workflow needs credentials or tokens, create a Kubernetes Secret and reference
it as you would for any other Pod. There is no Kratix-specific secret store;
workflow Pods inherit whatever access you grant in the cluster.
See the Kubernetes docs for the core concepts and usage:
Writing and syncing secrets
Kratix does not define how secrets are authored or stored; it relies on whatever secret management workflow you already use for Kubernetes. Common approaches include:
- Sealed Secrets for storing encrypted secrets in Git.
- External Secrets Operator to pull from cloud secret managers.
- HashiCorp Vault via a Kubernetes auth method and sync controller.
These tools typically reconcile into Kubernetes Secret objects, which makes
them available to Kratix workflows. In GitOps workflows, the encrypted or
generated secret manifests live in Git, and your controller applies the
decrypted or synced secrets to the cluster.
