Skip to main content

Project Secrets

Project secrets allow you to define and share secrets across the allowed clusters. There are two ways to utilize project secrets. The first is to create a project secret and populate it with its own secret data. The second is to sync a project secret with a global secret. In both cases, to utilize the secret data, you will create a standard Kubernetes secret with labels referring to the project secret. Once created, the platform will handle synchronizing the project secret data to your secret.

Data or Global Secrets, but not both

It is not possible to define custom data in a project secret and synchronize a global secret. If you need to define additional secret data that is specific to your project, it is best to create a separate secret, and combine them in your pod specifications.

Permissions for Project Secrets

Each project secret can have specific users/teams to view and modify the project secret.

Creating Project Secret with Data

  1. Select the project you'd like to configure using the drop down menu. Click on Secrets.

  2. Click on the button.

  3. Add a display name, such as "My Secret" and optional description for the project secret. The UI will automatically fill in the .metadata.name with my-secret. If you wish to change this name, you may edit the YAML directly.

  4. In the Data section, add your secret key/value pairs in the Data section.

  5. Click on Permissions. Add which users and teams have access and permissions to modify the project secret.

  6. Click on the button to save your changes.

Creating Project Secrets synced from a Global Secret

When you have a global secret defined in the platform and wish to use it inside your project, you can create a project secret to be synced from the global secret.

Global Secret Permissions

When creating a project secret that refers to a global secret you must have permissions to read the shared secret or the request will be denied.

  1. Select the project you'd like to configure using the drop down menu. Click on Secrets.

  2. Click on the button.

  3. Add a display name, such as "My Secret" and optional description for the project secret. The UI will automatically fill in the .metadata.name with my-secret. If you wish to change this name you may edit the YAML directly.

  4. In the Data, select the global secret that you wish to sync to the project secret in the Optional: Global Secret section.

  5. Click on Permissions. Add which users and teams have access and permissions to modify the project secret.

  6. Click on the button to save your changes.

Using Project Secrets

To use a project secret, create a secret in the namespace where you need the project secret.

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: my-space
  labels:
    loft.sh/project-secret-name: my-secret
type: Opaque

The secret will be synchronized with the project secret momentarily.

Virtual Cluster Secrets

Secrets inside virtual clusters will be synchronized whenever the project secret is modified. Since it would be inefficient to watch secrets in all virtual clusters, the platform will instead synchronize virtual cluster secrets on an interval.