Skip to content

Commit

Permalink
docs(k8s): read environment variable from secret (#2300)
Browse files Browse the repository at this point in the history
  • Loading branch information
shahargl authored Oct 25, 2024
1 parent 0574067 commit 2eee661
Show file tree
Hide file tree
Showing 2 changed files with 83 additions and 3 deletions.
1 change: 1 addition & 0 deletions docs/deployment/kubernetes/overview.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@ We maintain an opinionated, batteries-included Helm chart, but you can customize
## Next steps
- Install Keep on [Kubernetes](/deployment/kubernetes/installation).
- Keep's [Helm Chart](https://github.com/keephq/helm-charts).
- Keep with [Kubernetes Secret Manager](/deployment/secret-manager#kubernetes-secret-manager)
- Deep dive to Keep's kubernetes [Architecture](/deployment/kubernetes/architecture).
- Install Keep on [OpenShift](/deployment/kubernetes/openshift).
85 changes: 82 additions & 3 deletions docs/deployment/secret-manager.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -59,18 +59,97 @@ Usage:

## Kubernetes Secret Manager

The `KubernetesSecretManager` interfaces with Kubernetes' native secrets system. It manages secrets within a specified Kubernetes namespace and is designed to operate within a Kubernetes cluster.
### Overview

Configuration:
The `KubernetesSecretManager` interfaces with Kubernetes' native secrets system.

It manages secrets within a specified Kubernetes namespace and is designed to operate within a Kubernetes cluster.

### Configuration

Set `K8S_NAMESPACE` environment variable to specify the Kubernetes namespace. Defaults to default if not set. Assumes Kubernetes configurations (like service account tokens) are properly set up when running within a cluster.
- `SECRET_MANAGER_TYPE=k8s`
- `K8S_NAMESPACE=keep` - environment variable to specify the Kubernetes namespace. Defaults to `.metadata.namespace` if not set. Assumes Kubernetes configurations (like service account tokens) are properly set up when running within a cluster.

Usage:

- Secrets are stored as Kubernetes Secret objects.
- Provides functionalities to create, retrieve, and delete Kubernetes secrets.
- Handles base64 encoding and decoding as required by Kubernetes.

### Environment Variables From Secrets
The Kubernetes Secret Manager integration allows Keep to fetch environment variables from Kubernetes Secrets.

For sensitive environment variables, such as `DATABASE_CONNECTION_STRING`, it is recommended to store as a secret:

#### Creating Database Connection Secret
```bash
# Create the base64 encoded string without newline
CONNECTION_STRING_B64=$(echo -n "mysql+pymysql://user:password@host:3306/dbname" | base64)

# Create the Kubernetes secret
kubectl create secret generic keep-db-secret \
--namespace=keep \
--from-literal=connection_string=$(echo -n "mysql+pymysql://user:password@host:3306/dbname" | base64)

# Or using a YAML file:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: keep-db-secret
namespace: keep
type: Opaque
data:
connection_string: $(echo -n "mysql+pymysql://user:password@host:3306/dbname" | base64)
EOF
```

#### Update the helm Values.yaml

After creating the secret, update the `values.yaml` so the helm chart will inject the secret as env var:
```bash
backend:
enabled: true
waitForDatabase: true
databaseConnectionStringFromSecret:
enabled: true # Enable using secret for database connection
secretName: "keep-db-secret" # Name of the secret we created
secretKey: "connection_string" # Key in the secret containing our connection string
```

#### Apply with Helm

```bash
# If installing for the first time
helm install keep keephq/keep \
-f values.yaml \
--namespace keep

# If updating existing installation
helm upgrade keep keephq/keep \
-f values.yaml \
--namespace keep
```

#### Verify the installation

Check if the secret is properly created:
```bash
kubectl get secret keep-db-secret -n keep
```

Verify the content of the secret is correct:
```bash
kubectl get secret keep-db-secret -n keep -o jsonpath='{.data.connection_string}' | base64 -d
```

Verify the pod using the secret:
```bash
kubectl get pod -n keep -l app.kubernetes.io/component=backend -o yaml | grep DATABASE_CONNECTION_STRING -A 5
```



## GCP Secret Manager

The `GcpSecretManager` utilizes Google Cloud's Secret Manager service for secret management. It requires setting up with Google Cloud credentials and a project ID.
Expand Down

0 comments on commit 2eee661

Please sign in to comment.