According to AWS: “Compared to native Kubernetes Secrets, using Secrets Manager has several advantages. First, it allows you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Second, it offers built-in secret rotation for several […]. It’s also extensible in that you can use it rotate other types of secrets. Lastly, it gives you the ability to control access to secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud, as well as third-party services and resources that run on-premises.”
Introduction - External Secrets Infrastructure
- ExternalSecrets are added in the cluster (make sure kube2iam is already installed as the nodes need to assume the role to encrypt/decrypt and retrieve secrets from AWS)
- Controller fetches ExternalSecrets using the Kubernetes API
- Controller uses ExternalSecrets to fetch secret data from external providers (e.g, AWS Secrets Manager)
- Controller manages insert/update/delete of Secrets
- Pods can access Secrets normally
Modifying jupyterhub templates to add possibility to include extraEnv as Secrets
- Full Path: jupyterhub/templates/hub/deployment.yaml
- Modify
env
tag in order to enable possibility to use Secrets on environment.
env:
{{- if .Values.hub.extraEnvSecrets }}
{{- .Values.hub.extraEnvSecrets | toYaml | trimSuffix "\n" | nindent 12 }}
{{- end }}
Modifying helm values.yaml to add as many secrets as you need
extraEnvSecrets:
- name: extraenv_name1
valueFrom:
secretKeyRef:
name: name-secrets1
key: key1-secret1
- name: extraenv_name1
valueFrom:
secretKeyRef:
name: name-secrets1
key: key2-secret1
- name: extraenv_name2
valueFrom:
secretKeyRef:
name: name-secrets2
key: key1-secret2
- name: extraenv_name2
valueFrom:
secretKeyRef:
name: name-secrets2
key: key2-secret2
This avoids exposing passwords or client_secrets as plain text in values.yaml.