Skip to content

Secrets

It is possible to define secrets to be created in a namespace for a specific capability, or in every namespace generically. The main use case is to create secrets in the ArgoCD namespace so that it can read private repositories, which is where the name secrets came from in the first place. However, they can be used with other capabilities, and/or application namespaces as well.

More info can be found in Core Concepts documentation on Secrets.

Prerequisites

Secrets are encrypted using asymmetric encryption and therefore require a public and private keypair. Keypairs must be generated and managed by administrators and can provide the public key to Users for encrypting secrets. For more info, please see the Admin guide on configuring secret encryption.

Encrypting secrets

You can download the crypttool from the Downloads section of its repository. Once downloaded, the crypttool has two options for encrypting content:

Encrypting a file with crypttool

Example

./crypttool --encrypt-from-file ~/.ssh/id_rsa -paas-name tst-tst -key ~/Downloads/public.bin

Encrypting from stdin with crypttool

Example

echo -e 'private investigations' | ./crypttool --encrypt-from-stdin -paas-name tst-tst -key ~/Downloads/public.bin

using cURL against the webservice api

Example

ENDPOINT_URL="https://paas-webservice-paas-system.apps.mycluster.example/v1/encrypt"
JSONTYPE='Content-Type: application/json'
PAAS=tst-tst
SECRET=$(awk '{printf "%s\\n", $0}' ~/.ssh/id_rsa)
curl -X POST "${ENDPOINT_URL}" -H "${JSONTYPE}" -d '{"paas":"'${PAAS}'","secret":"'${SECRET}'"}'

other options

Options are endless. Be creative...

defining secrets

Encrypted Secrets can be specified in multiple places.

By defining the secret in the Paas spec directly (Paas.spec.secrets) the secret will be created in all namespaces belonging to the paas.

Example

Setting an secret for all namespaces

apiVersion: cpet.belastingdienst.nl/v1alpha2
kind: Paas
metadata:
  name: tst-tst
spec:
  secrets:
    'ssh://git@my-git-host/my-git-repo.git': >-
      2wkeKe...g==

By defining the secret as part of a capability (such as argocd), the secret will be deployed in the namespace belonging to the capability specifically.

Example

Setting an secret for a specific capability

apiVersion: cpet.belastingdienst.nl/v1alpha2
kind: Paas
metadata:
  name: tst-tst
spec:
  capabilities:
    argocd:
      ...
      secrets:
        'ssh://git@my-git-host/my-git-repo.git': >-
          2wkeKe...g==

By defining the secret as part of a PaasNs, the secret will be deployed in the corresponding namespace only.

Example

---
apiVersion: cpet.belastingdienst.nl/v1alpha2
kind: Paas
metadata:
  name: tst-tst
spec:
  capabilities:
    # The argocd capability enabled
    argocd: {}
  requestor: my-team
  quota:
    limits.cpu: "40"
  secrets:
    'ssh://git@my-git-host/my-git-repo.git': >-
      2wkeKe...g==