manage-kubernetes-secrets

Implement production-grade secrets management for Kubernetes with encryption, rotation, and integration with external secret stores.

Configure encryption at rest for Secrets using KMS or local encryption.

Expected: Secrets encrypted at rest in etcd. Hexdump shows encrypted data, not plaintext. KMS integration configured for cloud-managed clusters. Re-encryption of existing secrets completes without errors.

Implement secure secrets management in Kubernetes using SealedSecrets for GitOps, External Secrets Operator for cloud secret managers, and rotation strategies. Handle TLS certificates, API keys, and credentials with encryption at rest and RBAC controls. Use when storing sensitive configuration for Kubernetes applications, implementing GitOps where secrets must be version-controlled, integrating with AWS Secrets Manager or Azure Key Vault, rotating credentials without downtime, or migrating from plaintext Secrets to encrypted solutions. Source: pjt222/development-guides.