Skip to content

ADR-0004 — Secrets Management Strategy

Status

Accepted

Context

The system requires management of sensitive data: - database credentials, - API keys, - registry tokens, - deployment secrets.

Secrets must not be stored in plaintext or leaked via CI/CD logs.

Decision

We use SOPS with age encryption for all secrets stored in the repository.

Principles: - secrets are encrypted at rest, - encrypted files are committed to git, - decryption happens only at deploy/runtime boundaries, - CI secrets are scoped and masked.

Alternatives Considered

  • Plain Kubernetes secrets: rejected due to plaintext storage.
  • Vault: rejected due to operational overhead for project scope.
  • GitLab-only CI variables: rejected due to limited auditability.

Consequences

Positive

  • Secrets are versioned and auditable.
  • No plaintext secrets in git.
  • Works locally and in CI/CD.

Negative

  • Requires key management discipline.
  • Slightly more complex onboarding.

Rollback / Change Strategy

Secrets backend can be migrated to Vault or cloud KMS via new ADR if requirements grow.

References

  • SOPS documentation
  • age encryption