Skip to main content

Secrets

Your application may make use of API keys, server credentials and other confidential keys as part of its functionality. You can add these confidential keys and values in your app environment settings "Vars" > "Secrets" section. Up to 100 key value secret pairs can be added.

Encrypted at rest:​

  • All values are encrypted and stored in the target cloud account's managed secret manager. For example, in AWS, LocalOps stores all key value pairs as encrypted secure strings in AWS Systems manager.
  • In addition, LocalOps stores same key value pairs under the pre-defined kubernetes secret app-secrets in the same kubernetes namespace where your app containers are running.
  • Inside kubernetes cluster, app-secrets secret is encrypted at rest. In AWS, this encryption is powered by AWS Key management service (KMS).
info

All the secret key value pairs are added under one kubernetes secret with name app-secrets in same namespace as your app.

So, just as any other kubernetes secret, you refer their values in your containers environemnt variables like below in the helm chart:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
      annotations:
        rollme: {{ randAlphaNum 5 | quote }}
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: my-container
          image: nginx
          env:
            - name: MY_USERNAME # Environment variable name
              valueFrom:
                secretKeyRef:
                  name: app-secrets # Name of the secret
                  key: username # Key from the secret
            - name: MY_PASSWORD # Another environment variable
              valueFrom:
                secretKeyRef:
                  name: app-secrets # Name of the secret
                  key: password # Key from the secret

How to make changes and propagate them​

Once you add new secrets or update existing secrets, you will have to make a new deployment to let the running pods get those new keys/values. The new deployment will restart the pods resulting in fetching values of secrets again by above configuration.

note

Important: Note rollme annotation in above deployment config. This lets the deployment's pods restart everytime you trigger a new deployment inside LocalOps. Please add that annotation in the same place as above in your deployment or pod spec. This is a common technique to restart pods on secrets change. Refer to Helm docs here.