How does ArgoCD handle secrets, and why is it tricky in GitOps?
CI/CD & GitOps · Intermediate level
Answer
Secrets are tricky in GitOps because Git wants declarative state, but plain Kubernetes Secret YAML should not contain raw secrets. Common patterns are SOPS-encrypted secrets, Sealed Secrets, External Secrets Operator, cloud secret managers, or runtime injection from a vault system.
Technical explanation
Masking is a safety net, not a complete control; scripts can still leak secrets through files, command arguments, debug output, or third-party tools.
Prefer scoped, short-lived credentials and store only the minimum secrets needed for that job or environment.
Artifacts should be immutable and addressed by version or digest, with metadata linking them to commit SHA and pipeline run.
Jenkins archived artifacts are convenient for diagnostics, but production deployment should consume from a controlled artifact repository or registry.
The desired state should be declarative enough for an agent to converge without manual runbook steps.
Git history becomes the audit trail for who requested, reviewed, and approved an environment change.
Hands-on example
1. Model the desired state for: How does ArgoCD handle secrets, and why is it tricky in GitOps in a GitOps repository, for example environments/staging/apps/payments and environments/prod/apps/payments.
2. Store only encrypted or external-secret references in Git, for example SOPS-encrypted YAML or an ExternalSecret pointing to AWS Secrets Manager; never commit raw secret values.
3. Open a pull request that changes only the desired version or values, require review and policy checks, then merge to let Argo CD detect OutOfSync state.
4. Run argocd app get payments and argocd app diff payments, then sync manually or let automated sync reconcile; verify sync status, health status, events, and Kubernetes rollout status.
5. Test rollback by reverting the Git commit or promoting the previous artifact digest, then watch Argo CD reconcile the cluster back to the known-good desired state.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More CI/CD & GitOps interview questions
- What is CI/CD, and what is the difference between continuous delivery and continuous deployment?
- What are the goals of a CI pipeline beyond just running tests?
- What is Jenkins, and what is the difference between a controller and an agent?
- What is the difference between a freestyle job and a pipeline job in Jenkins?
- What is the difference between a declarative and a scripted Jenkins pipeline?
- What is a Jenkinsfile, and why keep your pipeline as code in the repo?
- Explain the structure of a declarative pipeline (agent, stages, steps, post).
- What is the post section used for, and what are its conditions (success, failure, always)?