- Published on
Kubernetes Secrets are base64, not encrypted. Here is the full path I use to keep zero secret material inside the cluster — Workload Identity federates a pod to a managed identity, External Secrets Operator pulls live values from Key Vault. Terraform, manifests, pitfalls, all of it.