Environment Variables & Secrets Management
This section guides you through managing environment variables and secrets for your Koala services.
Per Service Global and Env Variables
Koala utilizes two types of variables:
- Global Service Variables: Shared variables that are available to your service across all environments.
- Environment Service Variables: Per environment variables that are specific to your service in a particular environment (e.g., development, staging, production).
Both types of variables can be easily edited and updated in your repository through the Koala UI.
Secrets Management with Sealed Secrets
Koala leverages the popular bitnami-labs/sealed-secrets project to ensure secure secret storage. Sealed Secrets encrypts sensitive data like API keys and passwords before storing them in your code repository. This encryption protects your secrets even if your repository is compromised.
During deployment, the Sealed Secret is included with other resources. The Sealed Secrets controller uses a private key to decrypt it, converting it into a usable Secret for your application pods. Koala, lacking access to this private key, encrypts the secret with the public key. Decryption occurs within your k8s clusters, ensuring Koala cannot access your secrets.
This approach offers several advantages, with the primary benefit being robust version control for your secrets. Sealed Secrets allow you to:
- Track changes to secrets over time.
- Revert to previous configurations if necessary.
- Identify who made specific modifications.
This audit trail is essential for maintaining a secure environment.
Managing Secrets in Koala
Managing secrets with Koala is remarkably straightforward.
- Locate the “Environment Secrets” section within the “Env Vars & Secrets” tab for your service.
- Add or edit your secrets as needed.
- Click on “Generate Pull Request” to integrate the secrets into your repository.
Important Note: After approval of the pull request, the secrets displayed within the Koala UI will only be visible in their encrypted form. You can edit them, but be aware that you’ll be modifying the encrypted value (which can be useful in some cases).
To input a new plain-text value for a secret key, simply:
- Delete the previous key (using the trash bin icon).
- Re-add it on a new line.
- Generate a new pull request.
Koala will encrypt the new plain-text value and store it securely in your repository.
Prerequisites for Sealed Secrets
To leverage sealed secrets, you must have bitnami-labs/sealed-secrets installed on all relevant clusters. The recommended approach is installation via the Koala ArgoCD Control Plane, although manual installation is also an option.
Installation using Koala Control Plane:
-
Install ArgoCD on your management Kubernetes cluster following the interactive installation instructions. This is a brief manual process, allowing ArgoCD to manage additional add-ons for your clusters.
-
Install the Sealed Secrets addon: Navigate to the Manage Cluster Addons section within the Koala UI. Choose the “Sealed Secrets controller” addon and select the clusters where you want your secrets to be accessible (typically all clusters). Koala offers a default configuration for the addon, but you can modify it directly in the UI if required.