Data Flow: Secrets
Purpose: For platform engineers, explains how secrets flow from encrypted YAML in Git to usable Kubernetes Secrets in the cluster.
Flow Summary
Components
| Component | Namespace | Role |
|---|---|---|
| SOPS (CLI) | Developer workstation | Encrypts secret values before commit |
| Age key pair | flux-system (private), Git (public) | Asymmetric encryption — public key encrypts, private key decrypts |
| Kustomize Controller | flux-system | Decrypts SOPS-encrypted files during reconciliation |
Sequence
- Developer encrypts a Secret manifest using
sops --encryptwith the cluster's Age public key. - Encrypted file is committed and pushed to Git (only
data/stringDatavalues are encrypted; metadata remains readable). - Source Controller fetches the updated repository.
- Kustomize Controller encounters the encrypted file during Kustomization build.
- Controller decrypts values in-memory using the Age private key stored in the
sops-ageSecret influx-system. - Decrypted manifest is applied to the target namespace as a standard Kubernetes Secret.
- Pods reference the Secret via
envFrom,secretKeyRef, or volume mounts.
Security Properties
- Private key never leaves the cluster (injected at bootstrap, stored as a Kubernetes Secret).
- Git history contains only ciphertext — safe for version control.
- Rotation: re-encrypt all secrets with a new Age key, update the cluster secret, reconcile.
- SOPS supports multiple recipients: one key per cluster, one for break-glass recovery.
Related
- Logical Diagram — full cluster architecture