Light Dark Auto

Configure Filter Secrets

Configure Service Filters Using External Secret Providers

Introduction

Certain service filter configuration options require sensitive data to fully function. This could include AWS access tokens or database connection strings. These options may be configured to reference data stored in an external secret provider to prevent sensitive data from being saved in a GitOps repository.

Prerequisites

  • Greymatter mesh v1.8.1 or later

Supported External Secret Providers

  • Kubernetes Secret

Working With Kubernetes Secrets

1. Create the Kubernetes Secret

Create the kubernetes secret containing the sensitive data. Take note of the metadata.name, metadata.namespace, and the keys in data.# as you will use these three values to identify the secret later. Placing this secret in the same metadata.namespace as the service being referenced is recommended.

---
apiVersion: v1
kind: Secret
metadata:
  name: secret-name
  namespace: service-namespace
type: Opaque
data:
  configuration-option-key: c2Vuc2l0aXZlIGRhdGE=

2. Grant Greymatter Control Read Access

Create an RBAC Role and RoleBinding that will grant greymatter Control access to read the kubernetes secret created above.

---
# Create access role for a single secret
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: service-namespace # Same namespace as the secret
  name: secret-name-gm-control-role
rules:
- apiGroups: [""]
  resourceNames: ["secret-name"]
  resources: ["secrets"]
  verbs: ["get"]

---
# Grant GM Control the access role
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: service-namespace # Same namespace as the secret
  name: secret-name-gm-control-role-binding
subjects:
- kind: ServiceAccount
  name: controlensemble
  namespace: greymatter
roleRef:
  kind: Role
  name: secret-name-gm-control-role
  apiGroup: rbac.authorization.k8s.io

3. Configure the Service Filter

Configure an eligible service filter with a #KubernetesSecret in your tenant CUE definition.

filters: [
	gsl.#MetricsFilter & {
		#secrets: {
			redis_connection_string: gsl.#KubernetesSecret & {
				namespace: "service-namespace"        // metadata.namespace
				name:      "secret-name"              // metadata.name
				key:       "configuration-option-key" // data.#
			}
		}
	},
]

Conclusion

Congratulations you have now configured a filter option with an external secret.

Next Steps

To learn about additional filters and their options please refer to the individual filter reference pages.