Secrets

Questions on secrets and external secrets

How do I add a new Secret?

See how to add a new Secret

How do I change the secret poll period in kubernetes external secrets?

Your cloud provider could charge per read of a secret and so a frequent poll of your secrets could cost $$$. You may want to tone down the poll period.

You can do this via the POLLER_INTERVAL_MILLISECONDS setting in the kubernetes external secrets configuration

For more details see how to configure charts

How do I switch to GSM from Vault?

We recommend you use cloud secret managers over vault as its easier to manage; let your cloud provider do the undifferentiated heavy lifting for you.

If you spin up a cluster on vault and want to switch over to, say, GSM here’s how:

echo "gsm = true" >> values.auto.tfvars 

git add *
git commit -a -m "fix: enable gsm"

terraform plan
terraform apply
  • in your dev cluster git repository (which has a helmfile.yaml inside) modify the jx-requirement.yml switch the secretStorage line to:
  secretStorage: gsm
  • download kpt and add it to your $PATH

  • run the following to replace your vault secret mapping files with gsm versions:

rm -rf .jx/secret/mapping

kpt pkg get https://github.com/jenkins-x/jx3-gitops-template.git/.jx/secret/gsm/mapping .jx/secret/mapping
ls -al .jx/secret/mapping

# echo we should see secret-mappings.yaml
git add .jx/secret
git commit -a -m "fix: migrate to gsm secret mapping"

# now lets push and watch the git operator
git push
jx admin log -w

Last modified March 2, 2021: fix: add FAQ on migrating to GSM (6fde4b90aa)