Skip to content

octopilot/secret-manager-controller

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Secret Manager Controller

CI Dependabot Docs Crate License: PolyForm Shield 1.0.0

The Missing Bridge Between GitOps and Serverless

A Kubernetes controller that syncs SOPS-encrypted secrets from GitOps repositories (FluxCD/ArgoCD) to cloud-native secret stores (GCP Secret Manager, AWS Secrets Manager, Azure Key Vault), enabling serverless migration while preserving your GitOps workflow.

Why This Exists

Platform teams optimization of cloud footprints through serverless adoption. The problem? SOPS works for Kubernetes, but not serverless.

When secrets exist only inside Kubernetes (encrypted via SOPS), you're left with:

  • ❌ Two parallel worlds of secrets (K8s vs. serverless)
  • ❌ No unified pipeline between GitOps and serverless
  • ❌ Massive friction for teams wanting to migrate workloads
  • ❌ Hidden opportunity costs from manual secret management

The lack of a unified secret delivery mechanism was holding organizations back from achieving real FinOps savings.

What It Does

Secret Manager Controller reads SOPS-encrypted secrets from Git, decrypts them securely inside Kubernetes, and pushes them into cloud-native secret managers:

  • Google Secret Manager
  • AWS Secrets Manager
  • Azure Key Vault

This enables:

  • Serverless migration — Unlock workloads previously blocked by secret management
  • Reduced cloud bill — Shrink Kubernetes footprint, move to serverless
  • Unified workflow — One pipeline for K8s and serverless
  • GitOps-first — Preserve your existing SOPS + Git workflow

Quick Start

# Apply CRD
kubectl apply -f https://raw.githubusercontent.com/octopilot/secret-manager-controller/main/config/crd/secretmanagerconfig.yaml

# Deploy controller
kubectl apply -k https://github.com/octopilot/secret-manager-controller/config/

See the Installation Guide for detailed setup instructions.

Documentation

📚 Comprehensive documentation is available at: octopilot.github.io/secret-manager-controller

Getting Started

Key Guides

Provider Setup

API Reference

CLI Tool

  • MSMCTL CLI - Command-line tool for managing the controller

Features

  • GitOps-Agnostic - Works with FluxCD, ArgoCD, or any GitOps tool
  • Multi-Cloud Support - GCP, AWS, and Azure from one controller
  • SOPS Integration - Automatically decrypts SOPS-encrypted secrets
  • Kustomize Support - Extracts secrets from Kustomize-built configurations
  • Workload Identity - Uses Workload Identity/IRSA by default (no credential management)
  • GitOps-Driven - Git is the source of truth; cloud providers are synced automatically

Contributing

We welcome contributions! Please see our Contributing Guide for details.

For development setup, see:

License

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.


Questions? Check out our troubleshooting guide or explore the full documentation site.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors