Skip to content

Getting Started with Secrets

This guide explains how to securely consume secrets in your applications by synchronizing them from the central OpenBao secrets store into your Kubernetes namespace.

On-Premises OpenBao Store

This guide covers the workflow for using the on-premises, shared OpenBao secrets store provided by The Contain Platform.

The service uses the External Secrets Operator, which watches for ExternalSecret custom resources. When you create one, the operator fetches the corresponding secret from the OpenBao store and creates a native Kubernetes Secret that your application can use.

Prerequisites

Before you begin, you will need:

  • Access to the cluster.
  • Access to the OpenBao UI to store the initial secret.

Step 1: Store Your Secret in OpenBao

Before you can sync a secret, it must exist in the central OpenBao secrets store.

  1. Navigate to the OpenBao UI.
  2. In the KV secrets engine, go to the path that corresponds to your application: k8s/<cluster-name>/<your-namespace>/.
  3. Create a new secret. For this example, let's call it my-app-secret and give it a key-value pair of api-key = super-secret-value.

The full path to this secret in OpenBao would be k8s/<cluster-name>/<your-namespace>/my-app-secret.

On Secret Paths and Policies

The path where you store your secret determines the access policies that apply to it. For a detailed explanation of the different policy paths and their permissions, please see the dedicated reference guide:

Step 2: Create an ExternalSecret Resource

Now, create an ExternalSecret manifest in your GitOps repository. This resource tells the operator where to find the secret in OpenBao and how to create the corresponding Kubernetes Secret in your namespace.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  # This will be the name of the Kubernetes Secret created in your namespace
  name: my-application-credentials
spec:
  # The secret store is pre-configured for you
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao

  # How often the operator should check OpenBao for changes
  refreshInterval: 1m

  # Describes the desired Kubernetes Secret
  target:
    name: my-application-credentials
    creationPolicy: Owner

  # Defines which secret to fetch from OpenBao
  dataFrom:
  - extract:
      # This is the full path to the secret you created in Step 1
      key: k8s/<cluster-name>/<your-namespace>/my-app-secret

When you apply this manifest, the operator will connect to OpenBao, fetch all the key-value pairs from my-app-secret, and sync them into a new Kubernetes Secret named my-application-credentials.

Step 3: Verify and Use the Kubernetes Secret

After a minute, you can verify that the secret was created in your namespace.

# Check that the Kubernetes Secret exists
kubectl get secret my-application-credentials -n <your-namespace>

# Decode the 'api-key' value from the secret
kubectl get secret my-application-credentials -n <your-namespace> -o jsonpath='{.data.api-key}' | base64 --decode

The output should be super-secret-value. Your application can now mount this secret as an environment variable or a volume, just like any other native Kubernetes Secret.