Setting up the secrets for your installation

Jenkins X 3.x uses Kubernetes External Secrets to manage populating secrets from your underlying secret store such as:

  • Alibaba Cloud KMS Secret Manager
  • Amazon Secret Manager
  • Azure Key Vault
  • Hashicorp Vault
  • GCP Secret Manager

This lets you check in all of your other kubernetes resources and custom resource definitions into git for simple and powerful GitOps.

You can then rotate secrets easily independent of git.

This is the exact same graph as here, with AWS Secrets Manager replaced by vault.

graph TB subgraph A[Kubernetes Cluster] sqB[External Secrets Controller] subgraph C[secrets-infra ns] sqCV[Vault] end subgraph D[Kube api server] end D -- Get ExternalSecrets --> sqB sqB --> D sqB -- Fetch secrets properties --> sqCV sqCV --> sqB subgraph E[app ns] sqEP[pods] sqES[secrets] end sqB -- Upsert Secrets --> sqES end


If you are using Vault as your back end for Kubernetes External Secrets then before you try any of the following commands to populate secrets you need to make sure your termminal can access Vault.

To do this you can run the jx secret vault portforward command in a terminal:

jx secret vault portforward

You should then be able to run the following jx secret edit or jx secret import commands.

Edit Secrets

To edit the Secrets run:

jx secret edit

This will prompt you to enter all the missing Secrets by default.

If you just want to enter a specific secret you can use --filter or -f to filter for a specific secret name.


jx secret edit -f nexus

Export Secrets

You can export the current secrets to the file system via

jx secret export -f /tmp/mysecrets.yaml

Or to view them on the terminal…

jx secret export -c

Import Secrets

If you have previously exported the secrets as shown above you can re-import them again (maybe into a different cluster):

jx secret import -f /tmp/mysecrets.yaml 

Migrating Local Secrets

If you have booted Jenkins X before you may well have secrets in your ~/.jx/localSecrets/mycluster/secrets.yaml

If the file is valid you can just run:

jx secret import -f ~/.jx/localSecrets/mycluster/secrets.yaml 

Migrating Secrets from Vault

If you have secrets already in a Vault then use the vault CLI tool to export the secrets to disk, reformat it in the above YAML layout and then import the secrets as above.

Replicating Secrets among namespaces

Its quite common to need to replicate the same Secrets across namespaces. For example Image Pull Secrets to pull images from container registries which may need to be used in dev, staging and production.

The Jenkins X boot job does this automatically for any secret labelled with using the jx secret replicate command:

jx secret replicate --selector

This will replicate the secret to all permanent enivronments in the same cluster (e.g. a local Staging or Production environment).

If you want to replicate another secret just add the label or you can add a new jx secret replicate to the boot makefile


Using Vault for your Secret storage

Last modified November 24, 2020: fix: use consistent links (e57cb94b10)