Skip to main content

Secrets

Artifact Hub

secrets

Create a Kubernetes Secret for this release.

Rendered by: templates/config-secrets.yaml

Security Considerations

Storing secrets directly in values files is not recommended for most use cases due to security concerns. This option is primarily designed for integration with ArgoCD Vault Plugin or similar secret management solutions that replace placeholder values at deployment time.

For production environments, consider using:

  • ExternalSecrets with External Secrets Operator
  • ArgoCD Vault Plugin (AVP)
  • Sealed Secrets
  • HashiCorp Vault directly

Configuration

secrets:                        # struct | Optional Secret to create
  name: my-secret               # string | Optional (default: release name)
  annotations: {}               # map    | Optional annotations
  stringData:                   # map    | Optional stringData (values are quoted)
    PASSWORD: supersecret
    API_KEY: my-api-key
  data:                         # map    | Optional raw base64 `data` values
    CERT_PEM: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t...

Usage Examples

Example 1: ArgoCD Vault Plugin Integration

When using ArgoCD Vault Plugin, use placeholders that AVP will replace:

secrets:
  name: vault-secrets
  annotations:
    avp.kubernetes.io/path: "secret/data/myapp/prod"
  stringData:
    DATABASE_PASSWORD: <path:secret/data/myapp/prod#database_password>
    API_KEY: <path:secret/data/myapp/prod#api_key>
    AWS_ACCESS_KEY_ID: <aws_access_key_id>
    AWS_SECRET_ACCESS_KEY: <aws_secret_access_key>

containers:
- image: myapp
  imageTag: "1.0.0"
  envFrom:
    - secretRef:
        name: vault-secrets

AVP Placeholder Formats:

  • <path:secret/data/myapp#key> - HashiCorp Vault KV v2
  • <aws_secret_name> - AWS Secrets Manager
  • <project/secret-name> - Google Cloud Secret Manager
  • <path/to/secret:key> - Azure Key Vault

Example 2: Basic Secret with Environment Variables

secrets:
  name: app-secrets
  stringData:
    DATABASE_PASSWORD: my-password
    API_TOKEN: token123

containers:
- image: myapp
  imageTag: "1.0.0"
  env:
    - name: DATABASE_PASSWORD
      valueFrom:
        secretKeyRef:
          name: app-secrets
          key: DATABASE_PASSWORD
    - name: API_TOKEN
      valueFrom:
        secretKeyRef:
          name: app-secrets
          key: API_TOKEN

Example 2: Mount All Secrets as Environment Variables

secrets:
  name: app-secrets
  stringData:
    DATABASE_URL: postgresql://user:pass@host:5432/db
    REDIS_URL: redis://redis:6379
    SECRET_KEY: supersecretkey

containers:
- image: myapp
  imageTag: "1.0.0"
  envFrom:
    - secretRef:
        name: app-secrets

Example 3: Base64 Encoded Data

For binary data or pre-encoded secrets:

secrets:
  name: tls-certs
  data:
    tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lVTkk5...
    tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lH...

containers:
- image: nginx
  imageTag: "1.21"
  volumeMounts:
    - containerPath: /etc/nginx/ssl
      volume:
        name: tls-certs
        readOnly: true

volumes:
- name: tls-certs
  secret:
    secretName: tls-certs

Best Practices

  1. Never commit real secrets to Git - Use placeholders or secret management tools
  2. Use ExternalSecrets for production - Better separation of concerns
  3. Leverage ArgoCD Vault Plugin - For GitOps workflows with centralized secret management
  4. Rotate secrets regularly - Implement secret rotation policies
  5. Use RBAC - Restrict access to secrets in Kubernetes
  6. Audit secret access - Enable audit logging for secret operations

See Also