Improve this page on GitHub

Secret Storage

Manage Kubernetes secrets with Codefresh

Codefresh has added the additional ability to resolve variables storing secrets from remote sources.

This allows you to keep sensitive data on your cluster, and for Codefresh to request it during pipeline execution on user’s demand.

Secret-Store is an additional context in Codefresh, which can be created, updated, deleted, etc, using the Codefresh CLI: codefresh create context secret-store --help.

At the moment, we support two types of secret storage: Kubernetes (SAAS version) and Runtime-Kubernetes (hybrid deployments).

Note: This feature is for Enterprise accounts only.

Prerequisites (for Kubernetes secret store)

You need to have your Kubernetes cluster connected to Codefresh. (this is only for the Kubernetes type secret store, for runtime-kubernetes hybrid installation, this is not required)

Create a Kubernetes Secret

Create your secret in Kubernetes, i.e.

kubectl create secret generic my-secret --from-literal=key1=supersecret

kubectl create configmap my-config-map --from-literal=key1=config1

Kubernetes Secret Store (SAAS Version)

Kubernetes secrets the native secrets supported by a cluster.

Using the Codefresh UI

On the left-hand panel, navigate to Account Settings > Integrations > Secret Store and select Configure.

Click on Add Provider and select Kubernetes secret store.

For Kubernetes secret store, you will need to define out the following fields:

Kubernetes Secret Store

Kubernetes Secret Store
  • Name: a unique name given to your context, which will be referenced in codefresh.yaml later.
  • Cluster: the name of the cluster as it is configured in Codefresh
  • Namespace: the namespace where the secret exists
  • Resource name: the name of the secret

You can toggle between ConfigMap or Secret, and also toggle the accessibility for users on this account.

Using the Codefresh CLI

To create a secret store context for Kubernetes, run:

codefresh create context secret-store kubernetes "$NAME_IN_CODEFRESH" --cluster "$CLUSTER" --namespace "$NAMESPACE" --resource-type "$TYPE" --resource-name ”$NAME”

or, for our example:

codefresh create context secret-store kubernetes "test" --cluster "[email protected]" --namespace "default" --resource-type secret --resource-name "my-secret"

Where:

  • $NAME_IN_CODEFRESH is a unique name given to your context, which will be referenced in codefresh.yaml later.
  • $CLUSTER is the name of the cluster as it is configured in Codefresh
  • $NAMESPACE is the Kubernetes namespace
  • $TYPE is of either secret or configmap
    • if secret, data will be base64 decoded during resolution
    • if configmap, data will be replaced as is
  • $RESOURCE_NAME is the name of the secret (optional)

Runtime Secret Store (Hybrid Installation)

If you are using the hybrid installation of Codefresh with the Runner) you can also store secrets on your own runtime.

Using the Codefresh UI

On the left-hand panel, navigate to Account Settings > Integrations > Secret Store and select Configure.

Click on Add Provider and select Runtime secret store.

For Runtime secret store, you need to define the following fields:

Runtime Secret Store

Runtime Secret Store
  • Name: a unique name given to your context, which will be referenced in codefresh.yaml later.
  • Resource name: the name of the secret
  • Runtime environment: select from the dropdown any runtime environments you have installed.

You can toggle between ConfigMap or Secret, and also toggle the accessibility for users on this account.

Using the Codefresh CLI

To create a secret store context for Runtime-Kubernetes environments (behind the firewall), run:

codefresh create context secret-store kubernetes-runtime "$NAME_IN_CODEFRESH"  --runtime "$RUNTIME_NAME" --resource-type "$TYPE" --resource-name ”$NAME”

or, for our example:

codefresh create context secret-store kubernetes-runtime "test" --runtime "gke_firstkubernetes-176201_us-central1-a_anna-demo" --resource-type secret --resource-name "my-secret"

Where:

  • $NAME_IN_CODEFRESH is a unique name given to your context, which will be referenced in codefresh.yaml later.
  • $CLUSTER is the name of the cluster as it is configured in Codefresh
  • $NAMESPACE is the Kubernetes namespace
  • $TYPE is of either secret or configmap
    • if secret, data will be base64 decoded during resolution
    • if configmap, data will be replaced as is
  • $RESOURCE_NAME is the name of the secret (optional)
  • $RUNTIME_NAME is the name of the run-time environment to be configured as secret store. If not set, any runtime-environment will be considered.

Using the secrets

Once Codefresh is linked to your secrets you can use them either in pipelines or any relevant section in the Codefresh GUI. See Using secrets for the details.