Secrets

We use Secret OperationS (SOPs) to encrypt Secrets within the mission-bootstrap, which are backed by Amazon Key Management Service (KMS).

NOTE

At this time, product teams are not able to encrypt Kubernetes secrets themselves. A Mission DevOps engineer will perform the task of encrypting the Kubernetes secrets.

Step-By-Step Guide

1. During the pipeline setup process, a DevOps engineer will reach out to the product team to ask if any Kubernetes Secrets need to be injected at runtime.
2. For RDS Postgres/Mysql credentials, a DevOps engineer will generate and encrypt the appropriate credentials.
3. If the Product Team has secrets that need to be injected at runtime and do not fall into the RDS Postgres/Mysql, they should reach out to the DevOps Engineer currently assigned to their epic (or enter a helpdesk ticket if one is not) to discuss encrypting the necessary credentials.
4. The Product Team must send the credentials to be encrypted through DoD SAFE, as this is the only approved application for sending Kubernetes Secrets to be encrypted.
   • For more information on DoD SAFE, please see their help documents.
5. Once the Kubernetes Secrets have been encrypted, a reference to the encrypted Secrets will need to be added to the application Kubernetes manifests to make them available to your application container.
   • If members are comfortable making changes to their own Kubernetes application manifests, they may do so themselves or they can ask the DevOps Engineer currently assigned to their epic (or enter a helpdesk ticket if one is not) to help make the necessary changes.

Additional Comments

The code block below is an example of what will need to be added to the deployment.yaml file of your Kubernetes application manifests.

-secretRef:
name: app-db-credentials

Note

Please consult with a DevOps engineer to confirm the appropriate value for the name field.