ADR-0030 — External Secrets Operator + cloud KMS (no plaintext in Git)

V1 Freeze (2026-06-12): Deferred. V1 uses 12-factor env / keyfile secrets; no External Secrets Operator. Re-opens at P4 (K8s/SaaS).

Context

GitOps (ADR-0028) puts desired state in Git — but secrets must never be in Git in plaintext (base64 is not encryption). We need a secrets flow that fits the GitOps pull model, supports centralized rotation, works across clusters, and integrates with the KMS already chosen for envelope encryption (ADR-0014).

Decision

External Secrets Operator (ESO) backed by a cloud Secrets Manager / Vault as the production primary:

Consequences

Positive

Negative / costs

Alternatives considered

Scaling

A single managed source + ESO scales linearly across secrets/envs/clusters (ClusterSecretStore shared, SecretStore scoped); per-env keys bound rotation blast radius.