Config & secrets

Vals overview

Vals makes it easy to load configuration values from secure sources like AWS Secrets Manager, HashiCorp Vault, Azure Key Vault… By allowing you to reference these sources directly in your configuration files, Vals ensures that sensitive data is kept secure and up-to-date, without the need to hard-code secrets.

Features

• Secure integrations: Vals works with multiple secret management systems to fetch and use sensitive values.
• Dynamic resolution: Values are retrieved and decrypted in real-time to ensure your configurations always use the latest information.
• Extensibility: Vals supports adding new secrets sources, making it flexible for any custom infrastructure needs.

Usage

Vals resolves secrets dynamically using a special URI format. It resolves these references at runtime by fetching and decrypting the corresponding values.

Example: Kubernetes ConfigMap

Here’s an example of how to use Vals with a Kubernetes ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: example-config
data:
  client-id: ref+file://values.yaml#/path/to/clientId+

The value path is set this way:

• ref+file://relative/path/to/file[#/path/to/the/value]
• ref+file:///absolute/path/to/file[#/path/to/the/value]

In the corresponding values.yaml file, find the original configuration value:

path:
  to:
    clientId: sampleapp

When deployed, Vals fetches and decrypts the secret value, inserting it dynamically.

Configuration values

Usable ‘configuration values’ are any non-sensible options of your config.yaml file.

You can interpolate them using the ref+file://config.yaml#path/to/field+ syntax.

Make sure to follow the Vals Guide to fully understand how to manage them.

Secret store providers

In order to reference a secret (here secret-key), make sure to surround it by the secretStore prefix and suffix:

ref+file://config.yaml#/secretStore/valsPrefix+<secret-key>ref+file://config.yaml#/secretStore/valsSuffix

SecretStore provider: plain (default)

config.yaml

secretStore:
  provider: plain
  valsPrefix: secretref+file:///var/run/secrets/vals-expander/secret-store.yaml#/
  valsSuffix: ""
  plain:
    secret-1: value-1
    secret-2: value-2

SecretStore provider: gcpsecrets

The GCPSecrets integration enables storing secret values in GCP Secret Manager.

config.yaml

secretStore:
  provider: gcpsecrets
  valsPrefix: secretref+gcpsecrets://project-id/prefix_
  valsSuffix: "?trim_nl=true"
  gcpKeyFile: path/to/gcpsecrets/serviceaccount.json

Usage

Once your values set, you will be able to use them in your different configuration files by following the right syntax.

This is pretty useful since you will only have to reference these values once in every needed file. Then, changing the value of a specific property will only need to be changed in your configuration file secretStore.

Example:

config.yaml

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
  namespace: k8saas-system
stringData:
  admin.password: ref+file://config.yaml#/admin/passwordHash+ # will get the admin.passwordHash value

Required keys

In order to run K8SaaS, these keys are required :

• argocd-oidc-client-key: OIDC client-key for ArgoCD
• argo-workflows-oidc-client-key: OIDC client-key for Argo Workflows
• grafana-oidc-client-key: OIDC client-key for Grafana
• harbor-oidc-client-key: OIDC client-key for Harbor
• oauth2-proxy-oidc-client-key: OIDC client-key for OAuth2 proxy
• oauth2-proxy-cookie-key: OIDC client-key for OAuth2 proxy cookie
• pinniped-oidc-client-key: OIDC client-key for Pinniped
• s3gw-access-key: Default access key for S3GW
• s3gw-secret-key: Default secret key for S3GW
• admin-password: Admin password for every app supporting password auth
• admin-password-hash: Hashed admin password for every app supporting password auth