Managing Secrets
This guide explains the secure and recommended process for managing secrets, such as API keys, database passwords, or other sensitive credentials, using Infrastream.
A core security principle of the platform is that secret values must never be stored in your Git repository. Infrastream integrates with Google Cloud Secret Manager to provide a secure storage location for your secrets, and a safe way to inject them into your application's runtime environment.
The process involves two key steps:
- Declaring the existence of a secret with a
Secretmanifest. - Granting an application permission to access that secret.
Prerequisites
- You must have an existing
Applicationmanifest that needs to consume the secret. - You need to know the identity of your project:
organization,organizational-unit,environment, andproject.
Step 1: Create a New Manifest File for the Secret
First, create a new YAML file to declare your secret inside your infrastream-manifests Git repository.
Note on File Location: Unlike legacy systems, the Infrastream Engine does not require manifests to be placed in a specific directory structure. You have the flexibility to organize your repository in the way that best suits your team. The Engine automatically discovers all manifest files and resolves their project identity using the values defined in the metadata block.
A common convention is to group secrets within a secret subdirectory:
../project/{project-name}/secret/{secret-name}.yaml
Step 2: Define Your Secret Manifest
Open your new file and add the following content. This manifest declares that a secret container should exist, but it does not contain the secret's value.
apiVersion: lowops.manifests.v1
kind: Secret
metadata:
name: partner-api-key
# The identity of your project is defined here:
project: payment-gateway
environment: production
organizational-unit: retail-banking
organization: fincorp
spec:
description: "API key for the external partner integration"
Commit this new file and open a pull request. Once it is approved and merged, Infrastream will provision an empty secret with the specified name in Google Cloud Secret Manager.
Step 3: Add the Secret's Value in GCP
This is the most critical step for security. The value of the secret is added directly to Google Cloud Secret Manager, ensuring it is never stored in Git history.
- Navigate to the Secret Manager page in the Google Cloud Console for the correct project.
- Find the newly created secret (e.g.,
partner-api-key). - Click on the secret and select "Add new version".
- Enter the sensitive value (the API key, password, etc.) into the "Secret value" field and save it.
Your secret now has a value stored securely in GCP.
Step 4: Grant Your Application Access to the Secret
Now, you must grant your application permission to read this secret.
Locate your Application manifest file (e.g., ../application/payment-api.yaml). Inside its spec block, add an accessControl.secrets section.
# In your Application manifest (e.g., payment-api.yaml)
# ... apiVersion, kind, metadata ...
spec:
# ... other application settings like source, target ...
accessControl:
secrets:
- name: partner-api-key # Must match the Secret's name
# Expose the secret as an environment variable
envVar: PARTNER_API_KEY
# You can also expose it as a file
# filePath: /etc/secrets/partner-api-key
You can use envVar, filePath, or both to expose the secret to your application.
Step 5: Commit, Review, and Merge
Commit the changes to your application manifest and open a new pull request.
After your PR is reviewed and approved, merge it. The platform will automatically:
- Create the IAM policy that allows your application's identity to read the secret.
- Restart your application.
- Securely inject the secret's value as either an environment variable or a file, ready for your application to use.