Using Vault for your Secret storage
Jenkins X 3.x uses Kubernetes External Secrets to manage populating secrets from your underlying secret store such as:
- Alibaba Cloud KMS Secret Manager
- Amazon Secret Manager
- Azure Key Vault
- Hashicorp Vault
- GCP Secret Manager
This lets you check in all of your other kubernetes resources and custom resource definitions into git for simple and powerful GitOps.
You can then rotate secrets easily independent of git.
This is the exact same graph as here, with AWS Secrets Manager replaced by vault.
If you are using Vault as your back end for Kubernetes External Secrets then before you try any of the following commands to populate secrets you need to make sure your termminal can access Vault.
To do this you can run the jx secret vault portforward command in a terminal:
jx secret vault portforward
You should then be able to run the following
jx secret edit or
jx secret import commands.
To edit the Secrets run:
jx secret edit
This will prompt you to enter all the missing Secrets by default.
If you just want to enter a specific secret you can use
-f to filter for a specific secret name.
jx secret edit -f nexus
You can export the current secrets to the file system via
jx secret export -f /tmp/mysecrets.yaml
Or to view them on the terminal…
jx secret export -c
If you have previously exported the secrets as shown above you can re-import them again (maybe into a different cluster):
jx secret import -f /tmp/mysecrets.yaml
Migrating Local Secrets
If you have booted Jenkins X before you may well have secrets in your
If the file is valid you can just run:
jx secret import -f ~/.jx/localSecrets/mycluster/secrets.yaml
Migrating Secrets from Vault
If you have secrets already in a Vault then use the vault CLI tool to export the secrets to disk, reformat it in the above YAML layout and then import the secrets as above.
Replicating Secrets among namespaces
Its quite common to need to replicate the same Secrets across namespaces. For example Image Pull Secrets to pull images from container registries which may need to be used in dev, staging and production.
The Jenkins X boot job does this automatically for any secret labelled with
secret.jenkins-x.io/replica-source=true using the jx secret replicate command:
jx secret replicate --selector secret.jenkins-x.io/replica-source=true
This will replicate the secret to all permanent enivronments in the same cluster (e.g. a local Staging or Production environment).
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.