Managing Secrets
This guide explains the secure and recommended process for managing secrets, such as API keys, database passwords, or other sensitive credentials, using Infrastream.
A core security principle of the platform is that secret values must never be stored in your Git repository. Infrastream integrates with Google Cloud Secret Manager to provide a secure storage location for your secrets, and a safe way to inject them into your application's runtime environment.
The process involves two key steps:
- Declaring the existence of a secret with a
Secretmanifest. - Granting an application permission to access that secret.
Prerequisites
- You must have an existing
Applicationmanifest that needs to consume the secret. - You need to know the identity of your project:
organization,organizational-unit,environment, andproject.
Step 1: Create a New Manifest File for the Secret
First, create a new YAML file to declare your secret inside your infrastream-manifests Git repository.
Note on File Location: Unlike legacy systems, the Infrastream Engine does not require manifests to be placed in a specific directory structure. You have the flexibility to organize your repository in the way that best suits your team. The Engine automatically discovers all manifest files and resolves their project identity using the values defined in the metadata block.
A common convention is to group secrets within a secret subdirectory:
../project/{project-name}/secret/{secret-name}.yaml
Step 2: Define Your Secret Manifest
Open your new file and add the following content. This manifest declares that a secret container should exist, but it does not contain the secret's value.
apiVersion: lowops.manifests.v1
kind: Secret
metadata:
name: partner-api-key
# The identity of your project is defined here:
project: payment-gateway
environment: production
organizational-unit: retail-banking
organization: fincorp
spec:
description: "API key for the external partner integration"
Commit this new file and open a pull request. Once it is approved and merged, Infrastream will provision an empty secret with the specified name in Google Cloud Secret Manager.
Step 3: Add the Secret's Value in GCP
This is the most critical step for security. The value of the secret is added directly to Google Cloud Secret Manager, ensuring it is never stored in Git history.
- Navigate to the Secret Manager page in the Google Cloud Console for the correct project.
- Find the newly created secret (e.g.,
partner-api-key). - Click on the secret and select "Add new version".
- Enter the sensitive value (the API key, password, etc.) into the "Secret value" field and save it.
Your secret now has a value stored securely in GCP.
Step 4: Grant Your Application Access to the Secret
Now, you must grant your application permission to read this secret.
Locate your Application manifest file (e.g., ../application/payment-api.yaml). Inside its spec block, add an accessControl.secrets section.
# In your Application manifest (e.g., payment-api.yaml)
# ... apiVersion, kind, metadata ...
spec:
# ... other application settings like source, target ...
accessControl:
secrets:
partner-api-key: # Key = the Secret manifest's name
envVar: PARTNER_API_KEY # Expose as this environment variable
# version: "latest" # Optional: pin to a specific version (default: latest)
Note: The
secretsfield uses a map syntax where the key is the name of theSecretmanifest, and the value defines how to expose it. UseenvVarto inject it as an environment variable. You can optionally pin to a specific secret version.
Step 5: Commit, Review, and Merge
Commit the changes to your application manifest and open a new pull request.
After your PR is reviewed and approved, merge it. The platform will automatically:
- Create the IAM policy that allows your application's service account to read the secret from Secret Manager.
- Restart your application.
- Securely inject the secret's value as the specified environment variable, ready for your application to use.