Only Environment editors can add, edit, and delete secrets for Entities in the Environment. Everyone who can view an Entity can view names, descriptions, and keys for its secrets.
Secret values are encrypted immediately upon submission and can only be decrypted from inside the Environment. You cannot read secret values from your Apollo Hub regardless of permissions.
You can add, edit, and delete secrets for an Entity by navigating to the Entity page and selecting Manage secrets from the Actions dropdown.
Select + Add Secret on the top right of the Manage secrets menu to create a new user-defined secret.
Complete the form to create a new secret for an Entity.
Configuration items:
You can select Add pair to add another key-value pair to the secret.
Select Submit after completing the form. Apollo will issue a Plan to create the secret.
Apollo will use the information you provided to create a Kubernetes secret in the Environment of the Entity. The secret will be created in the same Kubernetes namespace as the Helm chart for the Entity. The Kubernetes secret name will be the Entity name followed by the Secret name
you provided, separated by -
. In the example above, the Kubernetes secret name will be example-entity-example-secret
for example-entity Entity.
To allow the immediate encryption of the secret value, the Hub needs to know Agents' public keys. If at the time of encryption, the Hub does not know the public key for the Agent that will eventually execute the Plan, the user's request to add or edit the secret value will fail.
To edit a user-defined secret, select the pencil icon to the right of the secret name.
This will open the edit secret form. Enter the required updates and select Update secret.
This form will only display the existing keys for the secret. Apollo cannot retrieve secret values, but as long as the key-value pair is not deleted then the value will be preserved. If a key-value pair is deleted by accident, you can only undo it by selecting Cancel before you select Update secret. Afterwards, you can still effectively undo the deletion by re-adding the key-value pair, but you must provide the value to be set again; note the key-value pair will be unavailable in the Environment until the Plan to re-add it succeeds.
You can only edit secrets associated with managed Entities.
To delete user-defined secrets, select the trash can icon to the right of the secret name in the Manage Secrets menu.
Deleting a user-defined secret that is actively used by current configuration will break the service. It is not possible to discover which user-defined secrets are in use with the current configuration schema.
All secrets operations are executed by Apollo using a Plan so that changes only occur during appropriate maintenance windows. You can view the progress of a secret operation in the Plans tab of the Entity home page.
Secret operations are also executed as part of Apollo commands.
Learn more about using secrets in Apollo.