Secrets
Overview
Read this document to understand Secrets and how they are encrypted at P1.
We use Secret OperationS (SOPs) to encrypt Secrets within the mission-bootstrap, which are backed by Amazon KMS.
NOTE
At this time, product teams are not able to encrypt Kubernetes secrets themselves. An MDO engineer will perform the task of encrypting the Kubernetes secrets.
Step-By-Step Guide
During the pipeline setup process, a DevOps engineer will reach out to the product team to ask if any Kubernetes Secrets need to be injected at runtime.
For RDS Postgres/MySQL credentials, a DevOps engineer will generate and encrypt the appropriate credentials.
If the Product Team has secrets that need to be injected at runtime and do not fall into the RDS Postgres/MySQL, they should reach out to the DevOps Engineer currently assigned to their epic (or enter a helpdesk ticket if one is not) to discuss encrypting the necessary credentials.
The Product Team must send the credentials to be encrypted through DoD SAFE, as this is the only approved application for sending Kubernetes Secrets to be encrypted.
- For more information on DoD SAFE, please read their help documents.
Once the Kubernetes Secrets have been encrypted, a reference to the encrypted Secrets will need to be added to the application Kubernetes manifests to make them available to your application container.
- If members are comfortable making changes to their own Kubernetes application manifests, they may do so themselves, or they can ask the DevOps Engineer currently assigned to their epic (or enter a helpdesk ticket if one is not) to help make the necessary changes.
Additional Comments
The code block below is an example of what will need to be added to the deployment.yaml file of your Kubernetes application manifests.
-secretRef:
name: app-db-credentialsNote
Please consult with a DevOps engineer to confirm the appropriate value for the name field.