Skip to content

Google Secrets Manager

Warning

Google Secrets Manager integration with Kubernetes is currently available as an OPEN BETA. Please report any issues to the #nais channel on Slack.

You may store secrets in Google Secrets Manager as an alternative to the other offered solutions.

As a supplement to Kubernetes Secrets, we also offer one-way synchronization of secrets from Google Secrets Manager to Kubernetes Secrets that you may mount into your applications in the GCP clusters.

Getting started

Start at the GCP Console page and refer to the documentation for guides and how-tos on creating and managing secrets.

All secrets must exist in the region europe-north1. This option is found when you click manually select region. Unfortunately, we cannot enforce a default value here.

Google Secret Manager Region selection

Using secrets in applications

Label your secret with sync=true to enable synchronization to NAIS. The latest secret version will be copied into your Kubernetes namespace. This feature is only available in GCP clusters.

Google Secret Manager Sync label

If the secret already existed without this tag, you must create a new secret version to effectuate the sync.

The name of the secret in Kubernetes will match the name of the secret in Google Secret Manager. In case of a name collision, the secret will not be imported.

Modifications to secrets will NOT be synchronized back to Google Secret Manager, and any modifications might be overwritten at any time.

If your secret contains a list of environment variables:

Google Secret Manager environment variables example

additionally add the label env=true:

Google Secret Manager environment variables label

The synchronization of secrets into namespaces is managed by the application hunter2. This application runs in all team namespaces.

Example application spec

spec:
  filesFrom:
    - secret: my-secret-file
      mountPath: /var/run/secrets/my-secret
      # secret will be available in the file /var/run/secrets/my-secret/secret
  envFrom:
    - secret: my-secret
      # secret will be made available as environment variables

Example secret with environment variables

FOO=BAR
BAR=BAZ