27 lines
1.4 KiB
Markdown
27 lines
1.4 KiB
Markdown
# Secrets Management Design
|
|
|
|
**Goal:** Remove secrets from the Helm chart and provide a kubectl script to bootstrap them out-of-band, compatible with ArgoCD.
|
|
|
|
**Approach:** Pre-create with kubectl script (Option A). Helm stops owning the secret; a bootstrap script creates it before the first ArgoCD sync.
|
|
|
|
---
|
|
|
|
## Helm chart changes
|
|
|
|
- Delete `templates/secret.yaml` — Helm no longer creates or owns `shorefront-secret`
|
|
- Remove the `secrets:` block from `values.yaml` and `values-prod.yaml` — no secret values in git
|
|
- The `secretKeyRef` references in `backend-deployment.yaml` and `postgres-deployment.yaml` are unchanged; they already reference `shorefront-secret` by name
|
|
|
|
## Script: `scripts/create-secrets.sh`
|
|
|
|
- Reads `POSTGRES_PASSWORD` and `JWT_SECRET_KEY` from environment variables; exits with a clear error if either is unset
|
|
- Creates the `shorefront` namespace if it does not exist (safe to run before `helm install`)
|
|
- Uses `kubectl create secret generic shorefront-secret --dry-run=client -o yaml | kubectl apply -f -` for idempotency (safe to re-run for credential rotation)
|
|
- Prints success/failure
|
|
|
|
## ArgoCD workflow
|
|
|
|
1. Operator runs `scripts/create-secrets.sh` once on bootstrap (and again on rotation)
|
|
2. ArgoCD syncs the Helm chart; `shorefront-secret` already exists, pods start normally
|
|
3. ArgoCD does not manage the secret (no `managed-by: Helm` annotation), so it never diffs or deletes it
|