Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 16 additions & 16 deletions docs/deploy-applications/hello-world-adding-configurations.mdx
Original file line number Diff line number Diff line change
@@ -1,31 +1,31 @@
---
id: add-secrets-with-vault
title: Add Secrets with Vault
id: manage-environment-secrets
title: Manage Environment Secrets
type: tutorial
---

# Add Secrets with Vault
# Manage Environment Secrets

:::caution prerequisite
You must have a running app from the [Deploy Your First App](deploy-first-app) tutorial before continuing.
:::

In this guide, you'll learn how to store sensitive values in Vault and inject them into your application as environment variables. Instead of hardcoding secrets in your deployment configuration, you'll use an **ExternalSecret** that automatically syncs values from Vault into your Kubernetes pod.
In this guide, you'll learn how to store sensitive values in an encrypted store and inject them into your application as environment variables. Instead of hardcoding secrets in your deployment configuration, you'll use an **ExternalSecret** that automatically syncs values from your secret store into your Kubernetes pod.

We'll add a new secret alongside the `GREETING_MESSAGE` you set up in the previous tutorial.

## 1. Create a secret in Vault
## 1. Create a secret

:::info
Your cluster information page has a link to Vault:
Your cluster information page has a link to the Encrypted Secret Store:
<CaptainDomainLink to="https://cluster-info.{domain}" />

_If the domain above doesn't look right, update your **Captain Domain** in the top navigation bar._
:::

From the cluster info home page, click the `Link` for **Secrets Management** to open Vault. For the role, enter **editor** (you need read/write access), then click **Sign in with OIDC Provider**.
From the cluster info home page, click the `Link` for **Secrets Management** to open the secret store. For the role, enter **editor** (you need read/write access), then click **Sign in with OIDC Provider**.

![Vault Login](https://cdn.glueops.dev/doc-assets/v1/openbao/openbao-login-with-editor.png)
![Secret Store Login](https://cdn.glueops.dev/doc-assets/v1/openbao/openbao-login-with-editor.png)

Once logged in, select the **secret/** mount point.

Expand All @@ -39,7 +39,7 @@ Enter the details for your secret:

- **Path for this secret:** Use your app name (e.g., `hello-world`)
- **Key:** `SECRET_MESSAGE` (case sensitive)
- **Value:** `This value came from Vault!`
- **Value:** `This value came from your Secret Store!`

![Add Secret Details](https://cdn.glueops.dev/doc-assets/v1/openbao/create-secret.png)

Expand Down Expand Up @@ -94,9 +94,9 @@ externalSecret:
:::info How it works
- `externalSecret.enabled: true` turns on the ExternalSecret integration.
- `secrets.hello-world` creates an ExternalSecret named after your app.
- `dataFrom.key: secret/hello-world` tells it to pull **all** key-value pairs from the Vault path `secret/hello-world` and inject them as environment variables.
- `dataFrom.key: secret/hello-world` tells it to pull **all** key-value pairs from the secret path `secret/hello-world` and inject them as environment variables.

The `GREETING_MESSAGE` from `envVariables` remains unchanged — it's a static value defined in your config. The Vault secret (`SECRET_MESSAGE`) is injected alongside it automatically.
The `GREETING_MESSAGE` from `envVariables` remains unchanged — it's a static value defined in your config. The secret (`SECRET_MESSAGE`) is injected alongside it automatically.
:::

## 3. Deploy
Expand All @@ -108,20 +108,20 @@ Commit the changes and push. ArgoCD will sync the update in ~3 minutes.
Visit <CaptainDomainLink to="https://hello-world-prod.apps.{domain}/?env=true" /> and look for both:

- `GREETING_MESSAGE=Hello, World!` — your static environment variable
- `SECRET_MESSAGE=This value came from Vault!` — injected from Vault via ExternalSecret
- `SECRET_MESSAGE=This value came from your Secret Store!` — injected via ExternalSecret

:::tip
If the Vault secret doesn't appear immediately, give it a moment — the ExternalSecret controller refreshes every few seconds. You can also check the ExternalSecret resource status in the ArgoCD dashboard.
If the secret doesn't appear immediately, give it a moment — the ExternalSecret controller refreshes every few seconds. You can also check the ExternalSecret resource status in the ArgoCD dashboard.
:::

## Key concepts

| Concept | Description |
|---------|-------------|
| **ExternalSecret** | A Kubernetes resource that syncs secrets from an external provider (Vault) into a Kubernetes Secret. |
| **`dataFrom`** | Pulls all key-value pairs from a Vault path — no need to list each key individually. |
| **ExternalSecret** | A Kubernetes resource that syncs secrets from an external provider (e.g. OpenBao) into a Kubernetes Secret. |
| **`dataFrom`** | Pulls all key-value pairs from a secret path — no need to list each key individually. |
| **`envVariables`** | Static env vars defined directly in your values file. Good for non-sensitive config. |
| **Vault** | The secrets management system. Secrets are stored at paths like `secret/hello-world`. |
| **OpenBao** | The secrets management system. Secrets are stored at paths like `secret/hello-world`. |

## Next steps

Expand Down
2 changes: 1 addition & 1 deletion docs/deploy-applications/hello-world.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -115,5 +115,5 @@ Look for `GREETING_MESSAGE=Hello, World!` in the output.

## Next steps

- [Add Secrets with Vault](add-secrets-with-vault) — Pull sensitive configuration from Vault instead of hardcoding values.
- [Add Secrets](manage-environment-secrets) — Pull sensitive configuration from your secret store instead of hardcoding values.
- [Traefik Ingress & Routing](/traefik-ingress) — Explore advanced routing patterns: path-based routing, middleware, rate limiting, and more.
2 changes: 1 addition & 1 deletion docs/deploy-applications/ingress/ingress-annotations.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
id: glueops-ingress-and-loadbalancer-customizations
title: Ingress Annotations
title: "`ingress-nginx` Annotations"
---


Expand Down
3 changes: 2 additions & 1 deletion docs/deploy-applications/traefik/middleware-basicauth.md
Original file line number Diff line number Diff line change
Expand Up @@ -183,5 +183,6 @@ stringData:
- The Secret must be in the same namespace as the Middleware (`nonprod`)

:::caution
The credentials in this example are stored in plain text in your values file. For production use, consider using [ExternalSecrets](https://external-secrets.io/) to pull credentials from a secrets manager like AWS Secrets Manager or HashiCorp Vault.
The credentials in this example are stored in plain text in your values file.
:::consider using ExternalSecrets resources to pull credentials from our secret store.
Comment thread
venkatamutyala marked this conversation as resolved.
:::
2 changes: 1 addition & 1 deletion sidebars.js
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ const sidebars = {
collapsible: true,
items: [
"deploy-applications/deploy-first-app",
"deploy-applications/add-secrets-with-vault",
"deploy-applications/manage-environment-secrets",
"deploy-applications/ingress/glueops-ingress-and-loadbalancer-customizations",
{
type: "category",
Expand Down
2 changes: 1 addition & 1 deletion src/components/about-glueops.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ const callouts: Callout[] = [
},
{
title: "Encrypted Secret Management",
text: "Ensure security with an encrypted secret store for confidential values, including seamless integration with popular options like AWS Secrets Manager.",
text: "Ensure security with an encrypted secret store for confidential values, including seamless integration with popular options like OpenBao.",
icon: ShareIcon,
},
{
Expand Down