Frequently Asked Questions

Argo CD, Kubernetes & GitOps Integration

How does Akeyless integrate with Argo CD for secrets management?

Akeyless integrates with Argo CD by leveraging the Kubernetes External Secrets Operator (ESO). This setup allows Argo CD to sync ExternalSecret manifests from a Git repository, which the ESO controller then uses to fetch secrets from Akeyless and create Kubernetes secrets within the cluster. This approach ensures secrets are managed securely outside the cluster while remaining accessible to applications. Learn more in the documentation.

What problem does Akeyless solve for GitOps workflows using Argo CD?

Akeyless addresses the challenge of securely managing secrets in GitOps workflows by preventing hardcoded secrets in code and automating secret retrieval. With Akeyless and the External Secrets Operator, secrets are stored securely outside the cluster and injected into Kubernetes as needed, reducing breach risks and manual overhead.

How does the External Secrets Operator (ESO) work with Akeyless and Argo CD?

The ESO controller monitors ExternalSecret manifests synced by Argo CD, determines which SecretStore (such as Akeyless) to use, and fetches the required secrets from Akeyless. It then creates Kubernetes secret resources in the cluster, ensuring applications can access secrets securely and automatically.

Can Argo CD automatically sync secrets managed by Akeyless?

Yes, Argo CD can be configured to automatically sync with ExternalSecret manifests. When changes are made to secrets in Akeyless or new manifests are pushed to the monitored repository, Argo CD and the ESO controller ensure the latest secrets are reflected in the Kubernetes cluster.

What are the benefits of using Akeyless with Argo CD and Kubernetes?

Using Akeyless with Argo CD and Kubernetes provides secure, centralized secrets management, eliminates the need for hardcoded secrets, supports automated secret rotation, and ensures compliance and auditability. This integration streamlines DevOps workflows and enhances security in GitOps environments.

How does Akeyless help with auditability and compliance in GitOps workflows?

Akeyless provides comprehensive logs for troubleshooting and auditability, ensuring all secret access and changes are tracked. This supports compliance requirements by maintaining detailed records of secret usage and modifications within GitOps workflows.

What alternatives did the Akeyless DevOps team consider for Kubernetes secrets management?

The Akeyless DevOps team evaluated manual encryption/decryption and tools like Sealed Secrets but found them lacking in performance and flexibility at scale. They ultimately chose the External Secrets Operator for its flexibility and seamless integration with Akeyless and Argo CD.

How does the ESO controller fetch secrets from Akeyless?

The ESO controller uses the configuration specified in the SecretStore manifest to authenticate with Akeyless and retrieve secrets from the defined path. It then creates or updates Kubernetes secrets based on the values fetched from Akeyless.

How often does the ESO controller check for secret updates in Akeyless?

The ESO controller checks for updates at intervals defined in the ExternalSecret manifest. This ensures that any changes to secrets in Akeyless are reflected in the Kubernetes cluster in a timely manner.

Where can I find step-by-step instructions for integrating Akeyless with the External Secrets Operator?

You can find detailed, step-by-step instructions for integrating Akeyless with the External Secrets Operator in the Akeyless online documentation.

What makes Akeyless suitable for enterprise DevOps teams?

Akeyless is designed as a cloud-native secrets management platform that is easy to set up and scale, offers integrations for a wide range of use cases, and provides comprehensive logging for troubleshooting and auditability—features that are critical for enterprise DevOps teams.

How does Akeyless help prevent hardcoded secrets in code?

Akeyless enables secrets to be managed and injected securely at runtime, eliminating the need to store secrets in code or configuration files. This reduces the risk of accidental exposure and security breaches.

What is the role of the SecretStore manifest in the Akeyless-ESO integration?

The SecretStore manifest defines how the ESO controller authenticates with Akeyless and where to find the required secrets. It contains the necessary credentials and configuration for secure access to Akeyless from within the Kubernetes cluster.

How does Akeyless support GitOps best practices?

Akeyless supports GitOps best practices by enabling secrets to be managed outside of Git repositories, ensuring that sensitive data is not exposed in version control while still allowing for automated, auditable deployments.

What are the main steps in syncing Argo CD secrets with Akeyless?

The main steps include: 1) Argo CD syncing ExternalSecret manifests from Git, 2) ESO controller determining which SecretStore (Akeyless) to use, 3) ESO fetching secrets from Akeyless, and 4) ESO creating/updating Kubernetes secrets in the cluster.

How does Akeyless handle secret updates in Kubernetes clusters?

Akeyless, via the ESO controller, monitors for changes in secret values at configurable intervals and updates the corresponding Kubernetes secrets automatically, ensuring applications always have access to the latest credentials.

Is Akeyless suitable for scaling secrets management in large Kubernetes environments?

Yes, Akeyless is designed to scale with enterprise needs, offering flexible integrations, automated secret rotation, and centralized management suitable for large, dynamic Kubernetes environments.

What is the advantage of using Akeyless over manual secret management in Kubernetes?

Akeyless automates secret retrieval and rotation, reduces manual errors, enhances security, and provides audit trails, making it a more robust and scalable solution compared to manual secret management.

How can I get started with Akeyless for managing Argo CD secrets?

You can start by booking a custom demo at akeyless.io, exploring the self-guided product tour, or following the step-by-step tutorials available in the Akeyless documentation.

Does Akeyless provide technical documentation for integrating with Kubernetes and Argo CD?

Yes, Akeyless offers comprehensive technical documentation and tutorials for integrating with Kubernetes, Argo CD, and the External Secrets Operator. Visit Akeyless Technical Documentation and Tutorials for more information.

What is Akeyless?

Akeyless is a cloud-native SaaS platform for secrets management, identity security, and encryption. It centralizes the management of secrets, secures both human and machine identities, and automates credential rotation and certificate lifecycle management. Learn more.

What are the main features of Akeyless?

Main features include vaultless architecture, Universal Identity, Zero Trust Access, automated credential rotation, out-of-the-box integrations, cloud-native SaaS delivery, and compliance with international security standards. See all features.

Features & Capabilities

What integrations does Akeyless support?

Akeyless offers a wide range of integrations, including Dynamic and Rotated Secrets for Redis, Redshift, Snowflake, SAP HANA, SSH, CI/CD tools like TeamCity, infrastructure automation with Terraform and Steampipe, log forwarding to Splunk, Sumo Logic, Syslog, certificate management with Venafi, certificate authorities like Sectigo and ZeroSSL, event forwarding to ServiceNow and Slack, SDKs for Ruby, Python, Node.js, and Kubernetes platforms like OpenShift and Rancher. See the full list.

Does Akeyless provide an API?

Yes, Akeyless provides a robust API for its platform, including API Keys for authentication. Access the API documentation at Akeyless API Docs.

What security and compliance certifications does Akeyless have?

Akeyless holds SOC 2 Type II, ISO 27001, FIPS 140-2, PCI DSS, CSA STAR, and DORA compliance certifications. These demonstrate adherence to high standards for security, privacy, and operational resilience. See Trust Center.

How does Akeyless ensure data privacy and zero-knowledge encryption?

Akeyless uses patented Distributed Fragments Cryptography™ (DFC), ensuring that no third party, including Akeyless, can access your secrets. The platform also adheres to strict data privacy standards as outlined in its Privacy Policy and CCPA Privacy Notice.

What technical documentation and resources does Akeyless provide?

Akeyless offers comprehensive technical documentation, step-by-step tutorials, platform demos, and self-guided product tours to help users implement and use its solutions effectively. Technical Docs | Tutorials

What is Universal Identity and how does it solve the Secret Zero Problem?

Universal Identity is a feature that enables secure authentication without storing initial access credentials, eliminating hardcoded secrets and reducing breach risks. This addresses the Secret Zero Problem, a common challenge in secrets management.

How does Akeyless automate credential rotation?

Akeyless automates the rotation of secrets and credentials, ensuring they are always up-to-date and reducing the risk of compromised or outdated credentials in your environment.

What is Zero Trust Access in Akeyless?

Zero Trust Access in Akeyless enforces granular permissions and Just-in-Time access, minimizing standing privileges and reducing unauthorized access risks for both human and machine identities.

Use Cases & Benefits

Who can benefit from using Akeyless?

Akeyless is ideal for IT security professionals, DevOps engineers, compliance officers, and platform engineers in industries such as technology, marketing, manufacturing, software development, banking, healthcare, and retail. See case studies.

What business impact can customers expect from using Akeyless?

Customers can expect enhanced security, operational efficiency, cost savings (up to 70% reduction in maintenance and provisioning time), scalability, improved compliance, and better collaboration between teams. See Progress case study.

What are some real-world success stories of Akeyless customers?

Wix improved security and operational efficiency with centralized secrets management. Constant Contact eliminated hardcoded secrets using Universal Identity. Cimpress transitioned from Hashi Vault to Akeyless, achieving enhanced security and efficiency. Progress saved 70% in maintenance time. Read more case studies.

What pain points does Akeyless address for its customers?

Akeyless addresses the Secret Zero Problem, legacy secrets management challenges, secrets sprawl, standing privileges and access risks, high operational costs, and integration challenges with DevOps tools.

How easy is it to implement Akeyless?

Akeyless can be deployed in just a few days thanks to its cloud-native SaaS platform. The intuitive interface, pre-configured workflows, and comprehensive onboarding resources make it easy for teams to get started without extensive technical expertise.

What feedback have customers given about Akeyless's ease of use?

Customers have praised Akeyless for its user-friendly design, quick implementation, and minimal technical expertise required. Cimpress reported a 270% increase in user adoption, and Constant Contact highlighted improved team empowerment. See Cimpress case study.

Competition & Comparison

How does Akeyless compare to HashiCorp Vault?

Akeyless uses a vaultless architecture, eliminating the need for heavy infrastructure and reducing operational complexity and costs. It offers SaaS-based deployment, faster setup, and advanced security features like Universal Identity and Zero Trust Access. Compare with HashiCorp Vault.

How does Akeyless compare to AWS Secrets Manager?

Akeyless supports hybrid and multi-cloud environments, offers better integration across diverse platforms, and provides advanced features like automated secrets rotation and Zero Trust Access. Its SaaS model is cost-effective and flexible. Compare with AWS Secrets Manager.

How does Akeyless compare to CyberArk Conjur?

Akeyless unifies secrets, access, certificates, and keys into a single SaaS platform, reducing the need for multiple tools and streamlining operations. It also offers seamless integration with DevOps tools. Compare with CyberArk Conjur.

What are the key differentiators of Akeyless compared to competitors?

Key differentiators include vaultless architecture, Universal Identity, Zero Trust Access, automated credential rotation, cloud-native SaaS delivery, and extensive out-of-the-box integrations. These features provide scalability, security, and cost savings not always found in traditional solutions.

Support & Implementation

What support resources are available for Akeyless users?

Akeyless provides 24/7 support, a Slack support channel, comprehensive documentation, tutorials, platform demos, and self-guided product tours to assist users at every stage of implementation and usage.

How long does it take to implement Akeyless?

Implementation typically takes just a few days due to the cloud-native SaaS architecture, eliminating the need for heavy infrastructure and enabling rapid deployment.

Does Akeyless offer onboarding resources for new users?

Yes, Akeyless offers onboarding resources such as platform demos, self-guided product tours, and tutorials to help new users get started quickly and effectively.

Where can I find customer case studies for Akeyless?

Customer case studies are available on the Akeyless Case Studies Page, featuring organizations from technology, marketing, manufacturing, banking, healthcare, and retail sectors.

Skip to content

Join our Episode Series: Identity Security – Unleashed for the AI Era →

Back
  1. Home
  2. Resources
  3. Blog
  4. Managing Argo CD Secrets with Akeyless

Managing Argo CD Secrets with Akeyless

managing-argocd-secrets

Posted by Joyce Ling
April 5, 2023

Welcome to our Akeyless on Akeyless series, where we discuss how the DevOps team at Akeyless uses Akeyless to take secrets management to the next level. In this article, we discuss how to securely manage Argo CD Secrets.

When speaking with Lior Hasson, the Head of DevOps at Akeyless, we uncovered an Akeyless use case that got him particularly excited: the integration with External Secrets Operator to securely handle Kubernetes secrets using GitOps and Argo CD. 

In this post, we will look into which options the Akeyless DevOps team considered, and, ultimately, what solution they landed on to secure Kubernetes secrets in a GitOps workflow using Argo CD and the External Secrets Operator.

The Problem with Secrets Management Using GitOps

GitOps uses Git as the single source of truth to deploy changes, and ensures the system is always in the desired state.

Using Git as the source of truth can have a variety of benefits:

  • There is better compliance and auditability, because any changes to infrastructure are tracked in version control.
  • The system stays more consistent over time, as GitOps tools like Argo CD constantly compare the system to the source of truth, making sure that any erroneous changes are self-healed.
  • Deployment is faster because delivery and deployment is automated, avoiding manual mistakes and integrating seamlessly with CI/CD pipeline deployments.

Despite all these benefits, there’s one critical question that arises when infrastructure is maintained with version control: What about secrets?

In Kubernetes, containers need to both securely store and access secrets in order to function. The approach with least resistance is to store secrets in the code itself. However, this isn’t the best approach, as hard-coding secrets in code increases risk of a breach. In using Argo CD, a popular tool for implementing GitOps, Lior knew he had to find a better approach to handle secrets within Kubernetes.

At first, the team handled secrets by manually encrypting and decrypting secrets. However, this quickly grew unsustainable as the Kubernetes infrastructure grew. They looked into other solutions for handling Kubernetes secrets, like Sealed Secrets, but found that it didn’t have the performance and flexibility necessary at scale.

Ultimately, Lior and his team went with the Kubernetes External Secrets Operator because it was flexible, and allowed the team to integrate Akeyless with ArgoCD.

Managing ArgoCD Secrets with the Kubernetes External Secrets Operator

The Kubernetes External Secrets Operator (ESO) enables a Kubernetes cluster to securely store and manage sensitive data outside of it while making the data available to applications running within it. It integrates with secret management systems like Akeyless.

argocd-secrets-diagram

This is how the External Secrets Operator (ESO) works in conjunction with Akeyless and ArgoCD:

As discussed previously, Argo CD is the GitOps tool that monitors for any changes in Git. It then implements the desired application state, which is defined in Kubernetes manifests. In the case pictured above, Argo CD syncs the ExternalSecret manifest from a Git repo to create an ExternalSecret resource inside the Kubernetes cluster (1).

The ESO Controller inspects the configuration of the synced ExternalSecret to determine which SecretStore to use and the path in the external API (Secrets Manager e.g. Vault) where the secret is located (2).

In the below example of a ExternalSecret manifest, you can see that it points to the akeyless-secret-store under secretStoreRef. It also designates a path that tells the ESO Controller where to access a particular secret within Akeyless.

argocd-secrets-externalsecret-yaml

In (3), the Controller then queries the SecretStore for the credentials required to access the external API. The SecretStore is another manifest that determines how to access the secret manager of your choice. In this case, it’s Akeyless. 

In the below code example of a SecretStore manifest, you can see the name of the defined SecretStore is akeyless-secret-store. This is what the ExternalSecret snippet above is referring to. You can see the details that allow the ESO Controller to access Akeyless in the secretRef section. 

argocd-secrets-secretstore-yaml

Now, the ESO Controller has all the ingredients necessary to get the secret it needs, including:

  1. How to access the external secret manager
  2. Where to find the secret

With both ingredients, you can see in (4) that the ESO fetches the secret(s) from the secrets manager at the path declared in the ExternalSecret.

Finally, in (5), the ESO Controller creates and syncs an actual Kubernetes secret resource inside the cluster.

Syncing Argo CD Secrets with Akeyless

If you choose, you can configure your Argo CD app to automatically sync with your ExternalSecret manifests. Argo CD will pick up these changes and reflect them in the cluster. To create new Kubernetes secrets, push additional ExternalSecret manifests to the repository path Argo CD is monitoring.

The ESO controller can monitor Akeyless at regular intervals for changes in secret values, updating the corresponding cluster secret values. The ESO controller will check for updates at the interval you set in the ExternalSecret manifest.

For a step-by-step on how to use the External Secrets Operator with Akeyless, check out our online documentation.

About Akeyless

Akeyless is a born-in-the-cloud secrets management platform for enterprise DevOps teams. Easy to set up and scale, it has integrations for every use case and comprehensive logs for troubleshooting and auditability. 

Ready to learn more about Akeyless? Get a custom demo today at akeyless.io.

Never Miss an Update

The latest news and insights about Secrets Management,
Akeyless, and the community we serve.

 

Ready to get started?

Discover how Akeyless simplifies secrets management, reduces sprawl, minimizes risk, and saves time.

Book a Demo
Subscribe to Newsletter
  • PrivilegedAccessManagement(PAM)_BestSupport_Enterprise_QualityOfSupport
  • PrivilegedAccessManagement(PAM)_HighPerformer_Enterprise_HighPerformer
  • PrivilegedAccessManagement(PAM)_EasiestToUse_Enterprise_EaseOfUse
  • PrivilegedAccessManagement(PAM)_UsersMostLikelyToRecommend_Nps

© 2025 AKEYLESS. All rights reserved