Skip to content

Introduction to the Secrets Service

The Secrets service provides a secure and automated way to use sensitive information like API keys, database passwords, and TLS certificates in your applications. It acts as a secure bridge between your Kubernetes cluster and an external secrets management system, ensuring that your secrets are never exposed in your Git repositories or container images.

Storing secrets directly in Git is a significant security risk. This service solves that problem by allowing your applications to consume secrets from a secure, centralized location without ever hardcoding them in your configuration files.

Our managed Secrets service is built on the External Secrets Operator, a powerful open-source tool that safely synchronizes secrets from an external API into Kubernetes.

Secret Stores

This service is designed to fetch secrets from a dedicated secret store. You have two options:

  1. Use Our Managed Secrets Store: You can use our fully managed Secrets Store service, which provides a secure, high-availability Vault cluster for storing your secrets.
  2. Bring Your Own Store: If you already have a secrets management system, you can configure the Secrets service to connect to your existing provider, such as HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, or Azure Key Vault.

How It Works

You define an ExternalSecret resource in your Git repository. This resource specifies which secrets to fetch from your chosen secret store and how to map them into a native Kubernetes Secret. The Secrets service operator detects this resource, securely connects to the external store, retrieves the secret data, and creates a standard Kubernetes Secret in your namespace. Your application can then mount this Secret as it normally would, unaware of the underlying mechanism.

Features

  • Keep Secrets Out of Git: Your sensitive data remains securely stored in a dedicated secrets manager, never in your source code.
  • Automated Synchronization and Rotation: The service automatically keeps the Kubernetes Secret in sync with the external store. When you rotate a secret in your vault, it is automatically updated in the cluster.
  • Centralized Management: Manage all your secrets in a single, secure, audited location, simplifying secret management across all your applications.
  • Broad Provider Support: Natively supports a wide range of popular secret management systems.
  • Fully Managed: We handle the installation, configuration, and maintenance of the External Secrets Operator, ensuring a reliable and secure secrets workflow.

Tip

For general information about pricing, legal or support concerning the platform, services or components, consult your contract or see the contact page.