https://falcao.org/tags/gitops/Recent content in Gitops on Danilo Falcão da SilvaHugoen-usWed, 20 May 2026 22:25:00 -0300https://falcao.org/posts/kubernetes-secrets-aws-azure-gcp-onprem/Wed, 20 May 2026 22:25:00 -0300https://falcao.org/posts/kubernetes-secrets-aws-azure-gcp-onprem/<p>The Kubernetes <code>Secret</code> object is a YAML manifest with a base64-encoded value in it. That&rsquo;s the entire encryption story. Anyone with <code>get</code> permission on the namespace can read every credential the workload holds. <strong>Base64 is not encryption.</strong> It is barely obfuscation.</p> <p>Teams discover this the wrong way — usually during a security review, occasionally during an incident — and the next question is always the same: <em>so where do the real secrets live?</em></p>https://falcao.org/posts/gitops-argocd/Tue, 19 May 2026 13:30:00 -0300https://falcao.org/posts/gitops-argocd/<p>Here&rsquo;s the test I use for any deployment tooling:</p> <p><strong>It is 3 a.m. on a Sunday. PagerDuty just woke you up. A production service is degraded. You roll out of bed, open your laptop, and have to figure out what the cluster <em>thinks</em> is true, what&rsquo;s <em>actually</em> true, and what changed in the last twelve hours. The faster you can answer those three questions, the better the tooling.</strong></p> <p>The right GitOps stack collapses all three questions into one dashboard. The wrong one has you SSH-hopping between five servers running <code>kubectl rollout history</code> against unlabeled deployments. I&rsquo;ve done both. I&rsquo;m writing this post about the former.</p>