Improve this page on GitHub

Secrets

Learn how Codefresh stores secrets

Codefresh provides out-of-the-box management for secrets, generally to store secrets for third-party integrations.

For secure secret storage, every Codefresh runtime uses the Bitnami Sealed Secrets controller behind the scenes. This controller is installed as part of the runtime and automatically managed by Codefresh.

How Sealed Secrets work

Sealed Secrets are based on public/private key encryption. When the controller is installed, it gets a public and private key. The private key stays within the cluster. The public key can be given anywhere to encrypt secrets.

Any kind of secret can be encrypted with the public key (also via the kubeseal executable), and then passed to the cluster for decryption when needed.

For GitOps applications, encryption for secrets is critical, as it means that you can commit any kind of secret in Git as long as it is encrypted.

Here’s the event flow for Sealed Secrets:

  1. A secret is encrypted by an operator and/or developer with the kubeseal executable.
  2. A custom Kubernetes resource called SealedSecret is created.
  3. The secret is committed in Git.
  4. During application deployment, the Codefresh runtime applies this secret to the cluster.
  5. The Sealed Secret controller identifies the Sealed Secret object and decrypts it using the private key of the cluster.
  6. The Sealed Secret is converted to a standard Kubernetes secret inside the cluster.
  7. It is then passed to the application like any other secret, as a mounted file or environment variable.
  8. The application uses the secret in its decrypted form.

For more details, you can read our blog post for sealed secrets.

Configuring the Sealed Secrets controller

The Sealed Secret controller is fully managed by the Codefresh runtime, and secret encryption and decryption are fully automated.

Warning! DO NOT tamper with the controller or its private/public keys in any way.

The applications you deploy with Codefresh should also have no knowledge of the controller. All secrets that you need in your own applications should be accessed using the standard Kubernetes methods.

Set up a hosted (Hosted GitOps environment)
Install hybrid runtimes
Image enrichment with integrations