How to Manage Secrets in GitOps with Sealed Secrets and SOPS
TL;DR
A complete, up-to-date breakdown of manage secrets for developers and founders. It covers the core ideas, the trade-offs that matter, a practical workflow, real numbers, and the questions people ask most — written to be skimmed, applied, and shared.
Key takeaways
- Adopt GitOps early: make a Git repository the single source of truth and let Argo CD or Flux reconcile the cluster to it.
- Measure your platform with DORA metrics and treat developer experience as the product, running the internal platform like any other product.
- Shift security left with policy-as-code (OPA Gatekeeper or Kyverno), signed images, and SBOMs rather than bolting on scans at the end.
- Package applications with Helm or Kustomize, but keep environment-specific values out of the chart and in overlays or values files.
- Treat Kubernetes as a platform substrate, not the product; wrap it in golden paths so most developers never write raw YAML.
This is a practical, up-to-date guide to Manage Secrets — what it is, why it matters in 2026, and how to apply it in real projects. It is written for developers and founders who want clear answers and proven best practices, not filler.
Whether you're just starting out or leveling up, treat this as a working reference you can return to. Every section is built to be skimmed, applied, and shared.
Common pitfalls and anti-patterns
The most frequent mistake is adopting Kubernetes for its own sake when a simpler managed platform would serve a small team better; the operational tax is real. Teams routinely omit resource requests and limits, which cripples scheduling and invites cascading out-of-memory kills and noisy neighbors. Others treat clusters as pets, applying changes by hand until no one can reproduce the environment, which is exactly what GitOps exists to prevent. Over-engineering is common too, such as installing a service mesh or a sprawling portal before there is any pain to justify it. Finally, neglecting continuous upgrades is dangerous because Kubernetes deprecates APIs and supports each release for only about fourteen months, so falling behind compounds quickly.
Internal developer platforms and Backstage
An Internal Developer Platform is the concrete product a platform team ships, typically fronted by a portal that unifies service catalogs, documentation, scaffolding, and CI/CD and infrastructure integrations. Backstage, created at Spotify and donated to the CNCF in 2020, is the most widely adopted open-source framework for building such portals, centered on a software catalog and an extensible plugin model. Its Software Templates feature lets developers scaffold a new, best-practice service in minutes, and TechDocs keeps documentation next to the code. Because Backstage is a framework rather than a turnkey product, many teams either invest engineering effort to run it or choose commercial platforms such as Port, Cortex, or Spotify's own Portal offering. The unifying idea is a single pane of glass over an otherwise sprawling toolchain.
Autoscaling from pods to nodes
Kubernetes scales along several independent axes and you usually combine them. The Horizontal Pod Autoscaler adds or removes Pod replicas based on CPU, memory, or custom metrics, while the Vertical Pod Autoscaler tunes per-Pod resource requests. When there is no room to place new Pods, the Cluster Autoscaler grows the node pool, and the increasingly popular open-source Karpenter provisions right-sized nodes quickly and consolidates them for cost. For event-driven and bursty workloads, KEDA scales on queue depth or other external signals and can even scale workloads to zero. Correct autoscaling depends entirely on setting sensible resource requests and limits, since the scheduler and every autoscaler reason about those numbers.
Containers and the runtime layer
Containers package an application together with its dependencies into an isolated, portable unit that runs consistently across environments, using Linux primitives like namespaces and cgroups rather than a full virtual machine. Docker popularized the developer workflow and image format, but Kubernetes itself dropped the Docker shim and now talks to runtimes through the Container Runtime Interface, most commonly containerd. Image formats and registries are standardized under the Open Container Initiative, so an image built by one tool runs under another. Modern build tooling such as BuildKit, Buildpacks, and ko lets teams produce images without hand-written Dockerfiles. Understanding this layer matters because most Kubernetes performance, security, and supply-chain concerns ultimately trace back to the container image and how it runs.
GitOps with Argo CD and Flux
GitOps applies version-control discipline to operations by making a Git repository the single source of truth for cluster state. An in-cluster agent, most often Argo CD or Flux, continuously compares what is running against what is committed and reconciles any drift, so deployments become a matter of merging a pull request rather than running imperative kubectl commands. Argo CD leans toward a rich UI and application-centric model, while Flux is more modular and controller-based, and both are CNCF graduated projects aligned to the vendor-neutral OpenGitOps principles. This gives you an auditable history, easy rollback by reverting a commit, and consistent multi-cluster delivery. GitOps is now the mainstream way to run continuous delivery on Kubernetes.
DevSecOps and shifting security left
DevSecOps folds security into the delivery pipeline instead of treating it as a final gate, which is essential when GitOps can push changes to production in minutes. In Kubernetes this means policy-as-code admission controllers like OPA Gatekeeper or Kyverno that reject non-compliant manifests, image scanning with tools such as Trivy or Grype, and runtime threat detection with Falco. Supply-chain integrity has become central, with Sigstore and cosign used to sign images and generate SBOMs, and the SLSA framework describing build-integrity levels. Secrets should live in a manager like HashiCorp Vault or External Secrets rather than in Git, and workloads should run with least-privilege RBAC and restrictive Pod Security Standards. The aim is guardrails that are automated and default-on rather than manual reviews that slow everyone down.
Manage Secrets: Key Facts and Data
According to recent industry research and the official documentation linked below:
- Backstage was created at Spotify, donated to the CNCF in 2020, and has become one of the most widely adopted open-source frameworks for building internal developer portals.
- Platform engineering moved firmly into the mainstream in the 2020s, and Gartner has projected that a large majority of large software organizations will have dedicated platform teams providing internal self-service by around 2026.
- CNCF and industry surveys indicate that a large majority of organizations running containers in production use Kubernetes, with adoption commonly cited above 90 percent among container users as of the mid-2020s.
Quick-Reference Summary
A map of what this guide covers:
| Topic | What you'll learn |
|---|---|
| Common pitfalls and anti-patterns | The most frequent mistake is adopting Kubernetes for its own sake when a simpler managed platform would serve a small team better |
| Internal developer platforms and Backstage | An Internal Developer Platform is the concrete product a platform team ships |
| Autoscaling from pods to nodes | Kubernetes scales along several independent axes and you usually combine them. |
| Containers and the runtime layer | Containers package an application together with its dependencies into an isolated |
| GitOps with Argo CD and Flux | GitOps applies version-control discipline to operations by making a Git repository the single source of truth for cluster state. |
| DevSecOps and shifting security left | DevSecOps folds security into the delivery pipeline instead of treating it as a final gate |
How to Get Started with Manage Secrets
A simple path that works:
- Learn the fundamentals of Manage Secrets from primary sources, not just tutorials.
- Build one small, real project end to end.
- Get feedback, refactor, and add tests.
- Ship it publicly and document what you learned.
- Repeat with a slightly harder project each time.
Build It with a World-Class Full Stack Developer
Sandeep Kumar Chaudhary is a full stack world-class developer. If you want to turn this into a real, production-ready product, get in touch — message directly on WhatsApp at +9779802348957 for a fast, no-pressure consult.
You can also explore the projects already shipped to thousands of users, or start a conversation here.
Final Thoughts
Adopt GitOps early: make a Git repository the single source of truth and let Argo CD or Flux reconcile the cluster to it. The developers and teams who win in 2026 pair strong fundamentals with consistent shipping. Start small, stay curious, build in public, and revisit this guide as your skills grow.
Sources and Further Reading
Frequently Asked Questions
What is manage secrets?
An Internal Developer Platform is the concrete product a platform team ships, typically fronted by a portal that unifies service catalogs, documentation, scaffolding, and CI/CD and infrastructure integrations. Backstage, created at Spotify and donated to the CNCF in 2020, is the most widely adopted open-source framework for building such portals, centered on a software catalog and an extensible plugin model. This guide covers manage secrets end to end — core concepts, best practices, concrete data, and a step-by-step approach you can apply right away.
Is Backstage free, and what does running it involve?
Backstage is a free, open-source CNCF framework originally created at Spotify, but it is a framework rather than a finished product. That means you build and host your own portal, writing or configuring plugins and maintaining the deployment, which requires real engineering investment. Teams that do not want to run it themselves often adopt commercial IDP products such as Port, Cortex, or Spotify Portal instead.
How often do I need to upgrade Kubernetes?
Kubernetes ships roughly three minor releases per year, and each release receives about fourteen months of patch support, so you generally need to upgrade at least annually to stay supported. Upgrades also matter because APIs get deprecated and removed on a schedule, and skipping too many versions makes migrations painful. Treating upgrades as routine and automating them through your GitOps and infrastructure-as-code pipeline keeps the effort manageable.
Do I actually need Kubernetes for my project?
Probably not if you are a small team running a handful of services, where a managed platform as a service or serverless option will cost far less operationally. Kubernetes pays off when you have many services, need portability across clouds or on-prem, or require fine-grained control over scaling, networking, and scheduling. A useful rule is to reach for it when the complexity you are managing exceeds the complexity Kubernetes itself adds.
What does DevSecOps mean in a Kubernetes context?
It means embedding security throughout the delivery pipeline rather than as a final checkpoint, which matters because GitOps can ship to production quickly. Concretely, teams enforce policy-as-code with OPA Gatekeeper or Kyverno, scan images with tools like Trivy, sign artifacts with Sigstore and cosign, detect runtime threats with Falco, and keep secrets in a manager like Vault. The aim is automated, default-on guardrails and least-privilege access rather than manual gates.
Sandeep Kumar Chaudhary
Full Stack Software Developer· Nepal's SEO, AEO, GEO & AIO expert and share-market educator. More about me
