diff --git a/docs/for-devs/console/code-repositories.md b/docs/for-devs/console/code-repositories.md index 9dfbe7ecd..773b1a9c1 100644 --- a/docs/for-devs/console/code-repositories.md +++ b/docs/for-devs/console/code-repositories.md @@ -44,7 +44,7 @@ All registered code repositories of the Team are listed here. 2. Optionally: Select `Private` If the repository in GitHub is private. -3. Optionally: Select a secret that contains the authentication credentials. Only Sealed Secrets of type `basic-auth` and `ssh-auth` will be shown. If no secret is available, then first [create a Sealed Secret](sealed-secrets.md). +3. Optionally: Select a secret that contains the authentication credentials. Only secrets of type `basic-auth` and `ssh-auth` will be shown. If no secret is available, then first [create a secret](secrets.md). 4. Optionally: Test the connection to see if the authentication credentials are valid and App Platform can use the credentials to access the private repository. @@ -57,7 +57,7 @@ All registered code repositories of the Team are listed here. 2. Optionally: Select `Private` If the repository in GitLab is private. -3. Optionally: Select a secret that contains the authentication credentials. Only Sealed Secrets of type `basic-auth` and `ssh-auth` will be shown. If no secret is available, then first [create a Sealed Secret](sealed-secrets.md). +3. Optionally: Select a secret that contains the authentication credentials. Only secrets of type `basic-auth` and `ssh-auth` will be shown. If no secret is available, then first [create a secret](secrets.md). 4. Optionally: Test the connection to see if the authentication credentials are valid and App Platform can use the credentials to access the private repository. diff --git a/docs/for-devs/console/overview.md b/docs/for-devs/console/overview.md index bd0af97e1..e6056eb78 100644 --- a/docs/for-devs/console/overview.md +++ b/docs/for-devs/console/overview.md @@ -19,7 +19,7 @@ Self-service section: - [Catalog](catalog.md): The Helm charts available for the Team in the Catalog. - [Code Repositories](code-repositories.md): A self-service form to register code repositories to App Platform and use them to create Container Images. - [Container Images](container-images.md): A self-service form to create container images from registered Code Repositories. -- [Sealed Secrets](sealed-secrets.md): A self-service form to create Sealed Secrets. +- [Secrets](secrets.md): A self-service form to create a secret using Sealed Secrets. - [Workloads](workloads.md): A self-service form to create Workloads. - [Network Policies](netpols.md): A self-service form to create Network Policies. - [Services](services.md): A self-service form to create Services to publicly expose deployed Workloads. diff --git a/docs/for-devs/console/sealed-secrets.md b/docs/for-devs/console/secrets.md similarity index 56% rename from docs/for-devs/console/sealed-secrets.md rename to docs/for-devs/console/secrets.md index 55c478ec1..e55cdb1a0 100644 --- a/docs/for-devs/console/sealed-secrets.md +++ b/docs/for-devs/console/secrets.md @@ -1,26 +1,25 @@ --- slug: secrets title: Team Secrets -sidebar_label: Sealed Secrets +sidebar_label: Secrets --- -Sealed Secrets are encrypted Kubernetes Secrets. The encrypted secrets are stored in the Values Git repository. When a Sealed Secrets secret is created in the Console, the Kubernetes Secret will appear in the Team's namespace and can be used as you would use any secret that you would have created directly. +Secrets in the Console are securely encrypted and stored in your Values Git repository using Sealed Secrets. When you create a secret in the Console, it generates a standard Kubernetes Secret in your Team's namespace that can be used like any other Kubernetes secret. -7 types of secrets are supported: +6 types of secrets are supported: - Opaque -- Service Account Token - Docker Config - Docker Config Json - Basic Auth - SSH Auth - TLS -## Create a Sealed Secret +## Create a Secret -1. Provide a name for the Sealed Secret. The Kubernetes secret will have the same name. +1. Provide a name for the Secret. The Kubernetes secret will have the same name. -2. Select `Immutable` if the data of the Sealed Secret (and the Kubernetes secret) can not be updated after the Sealed Secret has been created. When the Sealed Secret is Immutable, only the metadata can be modified after creation. +2. Select `Immutable` if the data of the secret (and the Kubernetes secret) can not be updated after the secret has been created. When the secret is Immutable, only the metadata can be modified after creation. 3. Select the Type: @@ -28,7 +27,7 @@ Sealed Secrets are encrypted Kubernetes Secrets. The encrypted secrets are store Opaque is the default secret type in Kubernetes. Read more about Opaque secrets [here](https://kubernetes.io/docs/concepts/configuration/secret/#opaque-secrets). -4. Add the `Encrypted data`: +4. Add the `Secret data`: | Key | Value | | ------- | ----------------------------------------- | @@ -36,34 +35,12 @@ Opaque is the default secret type in Kubernetes. Read more about Opaque secrets 5. Add more data items if needed. -:::note -The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster. -::: - -### Service Account Token secret - -| Key | Value | -| ------- | ----------------------------------------- | -| extra | The token | - -See [here](https://kubernetes.io/docs/concepts/configuration/secret/#serviceaccount-token-secrets") for more information about service account token secrets. - -You need to ensure that the `kubernetes.io/service-account.name` annotation is set to an existing ServiceAccount name. See the [metadata](#metadata) section for adding annotations. - -:::note -The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster. -::: - ### Docker Config secret | Key | Value | | ------------ | ----------------------------------------- | | .dockercfg | a .dockerconfigjson key for which the value is the content of a base64 encoded `~/.docker/config.json` file | -:::note -The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster. -::: - ### Docker Config Json secret | Key | Value | @@ -95,10 +72,6 @@ password="" # your password, can be token kubectl create secret docker-registry --dry-run=client regcred --docker-email=$email --docker-server=$server --docker-username=$username --docker-password=$password -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode ``` -:::note -The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster. -::: - ### Basic Auth secret | Key | Value | @@ -106,20 +79,12 @@ The secret value will only be visible at the time of creation or once it has bee | username | a username | | password | a password | -:::note -The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster. -::: - ### SSH Auth secret | Key | Value | | ------------ | ----------------------------------------- | | ssh-privatekey | a `ssh-privatekey` key-value pair in the data field as the SSH credential to use | -:::note -The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster. -::: - ### TLS secret @@ -129,7 +94,7 @@ The secret value will only be visible at the time of creation or once it has bee | tls.key | The private key certificate content | :::note -The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster. +The secret value will only be visible at the time of creation. After creation, the value field will display asterisks `****` to indicate the data is encrypted and cannot be revealed through the interface, though it can be overwritten. To overwrite the secret, click on the lock `🔒` icon next to the value field, enter the new secret value, and click on `Save Changes`. ::: @@ -137,10 +102,10 @@ The secret value will only be visible at the time of creation or once it has bee Adding metadata is optional. -Add the following standard metadata to the sealed-secret: +Add the following standard metadata to the secret: +- `Labels`. See [here](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) for more information about labels - `Annotations`. See [here](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) for more information about annotations - `Finalizers`. See [here](https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/) for more information about finalizers -- `Labels`. See [here](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) for more information about labels -Click on `+ Add Item` and add a key-value pair. +Click the corresponding add button (`+Add Labels`, `+Add Annotations` or `+Add Finalizers`) to add key-value pairs. diff --git a/docs/for-devs/security-best-practices.md b/docs/for-devs/security-best-practices.md index e99684d9f..4482481c9 100644 --- a/docs/for-devs/security-best-practices.md +++ b/docs/for-devs/security-best-practices.md @@ -6,7 +6,7 @@ sidebar_label: Security Best Practices In addition to the out-of-the-box security capabilities provides by App Platform, it is a responsibility of Teams to keep their applications safe from bad actors. Here is a list of security best-practices Teams should implement: -1. Use [secrets](../for-devs/console/sealed-secrets.md) to secure sensitive data and use a `secretKeyRef` to map an environment variable to the secret data. +1. Use [secrets](../for-devs/console/secrets.md) to secure sensitive data and use a `secretKeyRef` to map an environment variable to the secret data. 2. Drop `ALL` or specific capabilities in the Pod or container `SecurityContext` to ensure all (unused) capabilities are disabled. diff --git a/docs/for-ops/console/team-admin-overview.md b/docs/for-ops/console/team-admin-overview.md index efdc5664f..4416c39bc 100644 --- a/docs/for-ops/console/team-admin-overview.md +++ b/docs/for-ops/console/team-admin-overview.md @@ -13,7 +13,7 @@ Self-service section: - [Catalog](team-admin-catalog.md): The Helm charts available for platform administrators to install in any namespace - [Code Repositories](team-admin-code-repositories.md): A self-service form for platform administrators to register code repositories. - [Container Images](team-admin-container-images.md): A self-service form for platform administrators to create container images from registered code repositories. -- [Sealed Secrets](team-admin-sealed-secrets.md): A self-service form for platform administrators to create Sealed Secrets. +- [Secrets](team-admin-secrets.md): A self-service form for platform administrators to create a secret using Sealed Secrets. - [Workloads](team-admin-workloads.md): A self-service form to create for platform administrators Workloads in any namespace. - [Network Policies](team-admin-netpols.md): A self-service form for platform administrators to create Network Policies (in the `team-admin` namespace only). - [Services](team-admin-services.md): A self-service form for platform administrators to create Services to expose endpoints (`ClusterIP` services) from any namespace. diff --git a/docs/for-ops/console/team-admin-sealed-secrets.md b/docs/for-ops/console/team-admin-sealed-secrets.md deleted file mode 100644 index a310609cb..000000000 --- a/docs/for-ops/console/team-admin-sealed-secrets.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -slug: team-admin-sealed-secrets -title: Team Admin Sealed Secrets -sidebar_label: Sealed Secrets ---- - -The Sealed Secrets self-service feature for the Team Admin is the same as for regular teams. Sealed Secrets can only be created in the `team-admin` namespace. See [here](../../for-devs/console/sealed-secrets.md) for more information about Sealed Secrets. - - diff --git a/docs/for-ops/console/team-admin-secrets.md b/docs/for-ops/console/team-admin-secrets.md new file mode 100644 index 000000000..e504d9e6f --- /dev/null +++ b/docs/for-ops/console/team-admin-secrets.md @@ -0,0 +1,9 @@ +--- +slug: team-admin-secrets +title: Team Admin Secrets +sidebar_label: Secrets +--- + +The Secrets self-service feature for the Team Admin is the same as for regular teams. Secrets can only be created in the `team-admin` namespace using Sealed Secrets. See [here](../../for-devs/console/secrets.md) for more information about Secrets. + + diff --git a/docs/get-started/labs/create-sealed-secrets.md b/docs/get-started/labs/create-sealed-secrets.md deleted file mode 100644 index 7ce08b539..000000000 --- a/docs/get-started/labs/create-sealed-secrets.md +++ /dev/null @@ -1,76 +0,0 @@ ---- -slug: create-sealed-secrets -title: Create Sealed Secrets -sidebar_label: Create Sealed Secrets ---- - -In this lab we will create sealed secrets and see how to securely store sensitive information in git repository. - -## Creating a Sealed Secret - -1. Click on the `Sealed Secrets` in the sidebar. - -2. Click on `Create SealedSecret`. This will take you to the page where you can create a sealed secret. - -3. Fill in a name for your secret. In this lab we will use the name `secret-credentials` - -4. Select the secret type. In this lab we will create a secret of type `opaque`. - -5. Click on `Add Item` so you can fill in two key-value pairs - -6. In the `Encrypted data` section. Add the following key-value pairs: - -- `key=password value=helloworld` -- `key=username value=labs-user` - -![Create sealed secret](../../img/create-sealed-secrets.png) - -7. Click on `submit`. - -Note that the secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster. - -![Created sealed secret](../../img/created-sealed-secrets.png) - -## Checking the GIT repository - -Now go to Gitea and check the otomi/values repository. You will see that under `values/env/teams/sealedsecrets..yaml` the secret is stored in yaml, but the values are encrypted. - -![Repository sealed secret](../../img/repository-sealed-secrets.png) - -## Checking the Kubernetes secret - -The only way to see the values of the secret is to decrypt the secret. The secret values are stored as base64 encoded values. In the left menu click on Shell and run the following command: - -```bash -kubectl get secret secret-credentials -o yaml -n team-labs -``` - -This wil return the secret in yaml format. The values are stored as base64 encoded values. - -```yaml -apiVersion: v1 -data: - password: aGVsbG93b3JsZA== - username: bGFicy11c2Vy -kind: Secret -metadata: - creationTimestamp: '2024-09-12T06:11:55Z' - name: secret-credentials - namespace: team-labs - ownerReferences: - - apiVersion: bitnami.com/v1alpha1 - controller: true - kind: SealedSecret - name: secret-credentials - uid: b9dc5d5c-9699-4efb-86a8-7bd1dd869318 - resourceVersion: '357105' - uid: 84dd34e1-2313-482d-b7de-e5d848675fb7 -type: kubernetes.io/opaque -``` - -If you want to decode the secret you can use `base64 -- decode`: - -```bash -kubectl get secret secret-credentials -n team-labs -o jsonpath="{.data.password}" | base64 --decode -helloworld -``` diff --git a/docs/get-started/labs/create-secrets.md b/docs/get-started/labs/create-secrets.md new file mode 100644 index 000000000..c34e6ed80 --- /dev/null +++ b/docs/get-started/labs/create-secrets.md @@ -0,0 +1,83 @@ +--- +slug: create-secrets +title: Create Secrets +sidebar_label: Create Secrets +--- + +In this lab we will create a secret using Sealed Secrets and see how to securely store sensitive information in a git repository. + +## Creating a Secret + +1. Click on the `Secrets` in the sidebar. + +2. Click on `Create Secret`. This will take you to the page where you can create a secret. + +3. Fill in a name for your secret. In this lab we will use the name `secret-credentials` + +4. Select the secret type. In this lab we will create a secret of type `kubernetes.io/opaque`. + +5. Click on `+Add another` so you can fill in two key-value pairs + +6. In the `Secret data` section. Add the following key-value pairs: + +- `key=password value=helloworld` +- `key=username value=labs-user` + +![Create secret](../../img/create-secret.png) + +7. Click on `Create Secret`. + +:::note +The secret value will only be visible at the time of creation. After creation, the value field will display asterisks `****` to indicate the data is encrypted and cannot be revealed through the interface, though it can be overwritten. To overwrite the secret, click on the lock `🔒` icon next to the value field, enter the new secret value, and click on `Save Changes`. +::: + +![Created secret](../../img/created-secret.png) +![Edit secret](../../img/created-secret-edit.png) + +## Checking the GIT repository + +Now go to Gitea and check the `otomi/values` repository. You will see that under `values/env/teams//sealedsecrets/secret-credentials.yaml` the secret is stored in yaml, but the values are encrypted. + +![Repository secret](../../img/repository-secret.png) + +## Checking the Kubernetes secret + +The only way to see the values of the secret is to decrypt the secret. The secret values are stored as base64 encoded values. In the left menu click on Shell and run the following command: + +```bash +kubectl get secret secret-credentials -o yaml -n team-labs +``` + +This wil return the secret in yaml format. The values are stored as base64 encoded values. + +```yaml +apiVersion: v1 +data: + password: aGVsbG93b3JsZA== + username: bGFicy11c2Vy +kind: Secret +metadata: + creationTimestamp: '2025-11-11T13:44:16Z' + name: secret-credentials + namespace: team-labs + ownerReferences: + - apiVersion: bitnami.com/v1alpha1 + controller: true + kind: SealedSecret + name: secret-credentials + uid: fc1014f6-0212-49f7-a95d-c4169e053b60 + resourceVersion: '240057431' + uid: b76d6944-fa91-4392-ba4c-80e3e07c7e82 +type: kubernetes.io/opaque +``` + +If you want to decode the secret you can use `base64 --decode`. Run the following command: + +```bash +kubectl get secret secret-credentials -n team-labs -o jsonpath="{.data.password}" | base64 --decode +``` + +Expected output: +``` +helloworld +``` diff --git a/docs/get-started/labs/labs-overview.md b/docs/get-started/labs/labs-overview.md index 3164676f9..b225133f7 100644 --- a/docs/get-started/labs/labs-overview.md +++ b/docs/get-started/labs/labs-overview.md @@ -32,7 +32,7 @@ Welcome to the Akamai App Platform labs! We recommend reviewing these labs to le **Create workloads** -### [Create Sealed secrets](create-sealed-secrets.md) +### [Create secrets](create-secrets.md) ### [Create Kubernetes resources with Argo CD](using-argo-cd.md) diff --git a/docs/img/create-sealed-secrets.png b/docs/img/create-sealed-secrets.png deleted file mode 100644 index ee4ee2e8c..000000000 Binary files a/docs/img/create-sealed-secrets.png and /dev/null differ diff --git a/docs/img/create-secret.png b/docs/img/create-secret.png new file mode 100644 index 000000000..69d163630 Binary files /dev/null and b/docs/img/create-secret.png differ diff --git a/docs/img/created-sealed-secrets.png b/docs/img/created-sealed-secrets.png deleted file mode 100644 index 99ad6389f..000000000 Binary files a/docs/img/created-sealed-secrets.png and /dev/null differ diff --git a/docs/img/created-secret-edit.png b/docs/img/created-secret-edit.png new file mode 100644 index 000000000..a68a866d2 Binary files /dev/null and b/docs/img/created-secret-edit.png differ diff --git a/docs/img/created-secret.png b/docs/img/created-secret.png new file mode 100644 index 000000000..40ca43ca6 Binary files /dev/null and b/docs/img/created-secret.png differ diff --git a/docs/img/repository-sealed-secrets.png b/docs/img/repository-sealed-secrets.png deleted file mode 100644 index 80d91faab..000000000 Binary files a/docs/img/repository-sealed-secrets.png and /dev/null differ diff --git a/docs/img/repository-secret.png b/docs/img/repository-secret.png new file mode 100644 index 000000000..f541b6f6d Binary files /dev/null and b/docs/img/repository-secret.png differ diff --git a/sidebar-docs.js b/sidebar-docs.js index a74443d53..9dea36d13 100644 --- a/sidebar-docs.js +++ b/sidebar-docs.js @@ -27,7 +27,7 @@ module.exports = { "get-started/labs/create-images", "get-started/labs/trigger-builds", "get-started/labs/push-images", - "get-started/labs/create-sealed-secrets", + "get-started/labs/create-secrets", "get-started/labs/using-argo-cd", "get-started/labs/use-catalog", "get-started/labs/create-workloads", @@ -58,7 +58,7 @@ module.exports = { "for-devs/console/catalog", "for-devs/console/code-repositories", "for-devs/console/container-images", - "for-devs/console/sealed-secrets", + "for-devs/console/secrets", "for-devs/console/workloads", "for-devs/console/netpols", "for-devs/console/services", @@ -101,7 +101,7 @@ module.exports = { "for-ops/console/team-admin-catalog", "for-ops/console/team-admin-code-repositories", "for-ops/console/team-admin-container-images", - "for-ops/console/team-admin-sealed-secrets", + "for-ops/console/team-admin-secrets", "for-ops/console/team-admin-workloads", "for-ops/console/team-admin-netpols", "for-ops/console/team-admin-services",