Source Summary: Kubernetes Secret Delivery, Vault, Infisical, and SOPS
Source Identity
Sicurezza Kubernetes Talos Linux_ Segreti.mdHashiCorp, Kubernetes, SOPS_ Guida DevOps.md
Scope
Research on Talos security, PKI, Vault, and GitOps-safe secret management.
Key Points
- Talos reduces attack surface by removing mutable host access patterns
- Talos PKI and certificate lifetimes must be managed deliberately
- Vault is the identity-centric secret platform under the LushyCorp transition track, while SOPS is the Git-friendly encryption pattern studied in the source material
- current TazLab secret delivery is Infisical-backed rather than SOPS-backed
- Kubernetes Secrets alone are not enough for higher-trust production workflows
- Terraform state and secret handling need explicit protection
Notable Claims
- immutability is a security control, not just an operational preference
- secret delivery and secret storage are different design problems
Affected Wiki Pages
- ../entities/hashicorp-vault
- ../entities/infisical
- ../entities/sops
- ../entities/talos-linux
- ../entities/kubernetes
- ../topics/tazlab-infrastructure-tech-stack
Open Questions
- Which pieces of the current TazLab secret model should be documented as temporary transition state versus intended end state?