Google Secrets Manager¶
Google Secrets Manager integration with Kubernetes is currently available as an OPEN BETA. Please report any issues to the #nais channel on Slack.
You may store secrets in Google Secrets Manager as an alternative to the other offered solutions.
As a supplement to Kubernetes Secrets, we also offer one-way synchronization of secrets from Google Secrets Manager to Kubernetes Secrets that you may mount into your applications in the GCP clusters.
All secrets must exist in the region
europe-north1. This option is found when
you click manually select region. Unfortunately, we cannot enforce a default
Using secrets in applications¶
Label your secret with
sync=true to enable synchronization to NAIS. The
latest secret version will be copied into your Kubernetes namespace. This
feature is only available in GCP clusters.
If the secret already existed without this tag, you must create a new secret version to effectuate the sync.
The name of the secret in Kubernetes will match the name of the secret in Google Secret Manager. In case of a name collision, the secret will not be imported.
Modifications to secrets will NOT be synchronized back to Google Secret Manager, and any modifications might be overwritten at any time.
If your secret contains a list of environment variables:
additionally add the label
The synchronization of secrets into namespaces is managed by the application hunter2. This application runs in all team namespaces.
Example application spec¶
spec: filesFrom: - secret: my-secret-file mountPath: /var/run/secrets/my-secret # secret will be available in the file /var/run/secrets/my-secret/secret envFrom: - secret: my-secret # secret will be made available as environment variables
Example secret with environment variables¶