Secrets
The Akuity Platform provides a way to manage and synchronize secrets between the control plane and your Kubernetes clusters. This capability is built in to the platform and requires no additional configuration to enable in your clusters.
Overview​
Secrets management has two main components:
- Syncing secrets from your managed clusters to be used by the Argo CD control plane hosted on the Akuity Platform.
- Syncing secrets from the Argo CD control plane to your managed clusters.
Additionally, the settings tab can now create what are called "managed secrets." This is a shortcut for creating Argo CD secrets without needing to access the Argo CD dashboard directly (though they can still be managed there as well).
These features can be used separately or together, depending on your needs.
Syncing Secrets to the Argo CD Control Plane​
Selecting which Secrets to Sync​
For security, secrets will not synced unless explicitly allowed by a control plane administrator. This can be done in the "Secrets" settings of the instance as shown below:
Allowed secrets are configured by creating a Secret Source. A Secret Source has two fields, one of which must always be set:
- Cluster Selector: A label selector for a clusters you wish to sync secrets from. The labels for the cluster are specified when connecting a cluster to the Akuity Platform. If this field is left empty, then the Label Selector will match secrets from all clusters.
- Label Selector: A set-based label selector for the secrets you wish to sync. If this field is left empty, then the Label Selector will match all secrets for all matching clusters
You can use both Cluster and Label selectors to select specific secrets from specific clusters for more fine grained control
Creating Secrets​
If you create a secret syncing selector after creating a secret in Kubernetes, the secret will not sync until Kubernetes resyncs or you reapply the secret. This is due to the limitation of the Kubernetes API, which only informs when a secret is updated/created.
To sync secrets from your managed clusters to the Argo CD control plane, you need to create a secret in your managed cluster with the appropriate labels. The Akuity agent will automatically detect these secrets and sync them to the Argo CD control plane.
You can create secrets
declaratively in
the Agent namespace within a managed cluster (akuity by default). It should have a valid
argocd.argoproj.io/secret-type label as well as a special akuity.io/secret-sync with the value
of true (e.g. akuity.io/secret-sync: "true"). Optionally, you can also add some other labels
that can be used for the next step of selecting secrets to sync.
We only allow syncing of repository and repo-creds type secrets.
Here is an example secret that can be used to sync a Git repository credential:
apiVersion: v1
kind: Secret
metadata:
name: argoproj-https-creds
namespace: akuity
labels:
argocd.argoproj.io/secret-type: repo-creds
# This label is required to enable syncing of this secret
akuity.io/secret-sync: "true"
# This label could be used to select this secret for syncing
team: my-team
stringData:
url: https://github.com/argoproj
type: helm
password: my-password
username: my-username
Synced secrets will be available in the Argo CD control plane and can be used in your applications.
Once the secret is synced, you will see it appear in the managed secrets list in the "Secrets" settings of the instance:
Creating and updating managed secrets​
Managed secrets can be created and updated directly from the "Secrets" settings of the instance. Essentially, this is a convenience wrapper around creating a Kubernetes secret with some extra goodies to make syncing work, so it should look familiar.
- Create
- Update
- Delete
To create a managed secret, follow the steps below:
You can use a match expression to match labels on the clusters you wish to sync this secret to or you can allow it to sync to all clusters
To update an existing managed secret, click on the edit icon of the secret in the list you wish to edit and then edit any fields desired
To delete an existing managed secret, click on the delete icon of the secret in the list you wish to delete and then confirm the deletion.
Syncing Secrets to Managed Clusters​
Secrets that are synced to the Argo CD control plane or created as managed secrets can also be synced back down to your managed clusters. This enables workflows where a cluster acts "seed" cluster that syncs to all of your other managed clusters.
Authorizing secrets to be synced​
Each secret must be explicitly authorized to be synced to a cluster. This can be done on secret creation or by editing an existing secret:
All Clusters will sync the secret to all other clusters. Selected Clusters allows you to use a label selector to select which clusters the secret should be synced to. This should match the labels specified when connecting a cluster.
Advanced: Syncing from one cluster to other clusters​
If you are managing secrets from one of your managed clusters, you "own" that secret and Akuity will not modify any of those secret values. In order to allow the secret to sync to other clusters, you'll need to add one or more of the annotations described below:
| Annotation | Description | Example Value |
|---|---|---|
akuity.io/managed-secret-allowed-cluster-selector | A set-based label selector that determines which clusters the secret is allowed to be synced to. | my-label in (cluster2) |
akuity.io/managed-secret-allowed-clusters | A comma-separated list of cluster names that the secret is allowed to be synced to. The reserved string ALL can be used to allow syncing to all clusters. | cluster2,cluster3 |
As an example, this is what the same secret from above would look like if it were created in a managed cluster and synced to a specific set of other clusters:
apiVersion: v1
kind: Secret
metadata:
name: argoproj-https-creds
namespace: akuity
labels:
argocd.argoproj.io/secret-type: repo-creds
# This label is required to enable syncing of this secret
akuity.io/secret-sync: "true"
# This label could be used to select this secret for syncing
team: my-team
annotations:
# Assumes you have a cluster with the label my-label=cluster2
akuity.io/managed-secret-allowed-cluster-selector: my-label in (cluster2)
stringData:
url: https://github.com/argoproj
type: helm
password: my-password
username: my-username