Secrets

Secrets management is built into xlrte and rests on the following principles:

Secrets can be committed to git, as they are encrypted at rest.
Secrets are environment specific, thus allowing different versions of the same secrets between environments. This also allows different people to have different privileges to access secrets.
Secrets will be stored in your cloud providers native secret store, for instance Secret Manager for Google Cloud Platform.

For more help on how to use xlrte secrets, use the xlrte secret sub-command to get help. Noteworthy is, when a new person is added to the project, they should run xlrte secret init -e [env], push the changes including their public-key entry, and ask someone who already has access to run the xlrte secret refresh command, to give them access.

Binding secrets to services

For resources managed by xlrte, such as Cloud SQL, secrets are automatically created and bound to the services.

For services added by developers with xlrte secret add, a reference must be added in the service.yaml for the given service, in the top-level env block, like so:

env:
  secrets:
    api_key: my-api-key

The above would bind the secret my-api-key to the api_key environment variable at runtime.

Binding secrets to services​

Binding secrets to services