Light Dark Auto

Configure Filter Secrets

Configure Service Filters Using External Secret Providers


Certain service filter configuration options require sensitive data to fully function. This could include AWS access tokens or database connection strings. These options may be configured to reference data stored in an external secret provider to prevent sensitive data from being saved in a GitOps repository.


  • Greymatter mesh v1.8.1 or later

Supported External Secret Providers

  • Kubernetes Secret

Working With Kubernetes Secrets

1. Create the Kubernetes Secret

Create the kubernetes secret containing the sensitive data. Take note of the, metadata.namespace, and the keys in data.# as you will use these three values to identify the secret later. Placing this secret in the same metadata.namespace as the service being referenced is recommended.

apiVersion: v1
kind: Secret
  name: secret-name
  namespace: service-namespace
type: Opaque
  configuration-option-key: c2Vuc2l0aXZlIGRhdGE=

2. Grant Greymatter Control Read Access

Create an RBAC Role and RoleBinding that will grant greymatter Control access to read the kubernetes secret created above.

# Create access role for a single secret
kind: Role
  namespace: service-namespace # Same namespace as the secret
  name: secret-name-gm-control-role
- apiGroups: [""]
  resourceNames: ["secret-name"]
  resources: ["secrets"]
  verbs: ["get"]

# Grant GM Control the access role
kind: RoleBinding
  namespace: service-namespace # Same namespace as the secret
  name: secret-name-gm-control-role-binding
- kind: ServiceAccount
  name: controlensemble
  namespace: greymatter
  kind: Role
  name: secret-name-gm-control-role

3. Configure the Service Filter

Configure an eligible service filter with a #KubernetesSecret in your tenant CUE definition.

filters: [
	gsl.#MetricsFilter & {
		#secrets: {
			redis_connection_string: gsl.#KubernetesSecret & {
				namespace: "service-namespace"        // metadata.namespace
				name:      "secret-name"              //
				key:       "configuration-option-key" // data.#


Congratulations you have now configured a filter option with an external secret.

Next Steps

To learn about additional filters and their options please refer to the individual filter reference pages.