This page describes some best practices for managing secrets for applications you deploy to Google Kubernetes Engine or GKE Enterprise clusters using Cloud Deploy.
Because injecting application secrets into deployment artifacts introduces security risks, avoid managing secrets from within Cloud Deploy pipelines.
Secrets consumed in this way should be generated, managed, and rotated outside of the scope of Cloud Deploy.
Secrets, in this context, refer to sensitive data such as database credentials, API keys, certificates, or passwords.
Kubernetes secrets
Kubernetes Secrets are secure objects that store sensitive data, such as passwords, OAuth tokens, and SSH keys in your clusters, separate from Pods. Secrets are similar to ConfigMaps, but are intended to hold confidential data.
Because Kubernetes Secrets are not secure by default, without encryption, the approaches described in this document do not use them.
Managing secrets for use with Cloud Deploy
This section describes how to manage secrets for applications that you deploy using Cloud Deploy.
The following are two approaches to secrets management with GKE or GKE Enterprise:
Google Secret Manager
Secret Manager is a fully managed, multi-region Google Cloud service that securely stores API keys, passwords, and other sensitive data.
Secrets from Secret Manager can be accessed from the cluster using the client library and Workload Identity authentication, or using the Secrets Store CSI driver.
To use Secret Manager for your application:
Reference the secret from your application code using the SDK.
You can specify additional metadata for the secret using environment variables, for example secret version, or application environment (such as dev, staging, prod).
If the deployment process for a specific feature includes provisioning of infrastructure, then create or update the secret using Secret Manager as part of the provisioning process, before deploying the application.
For more information on managing Kubernetes secrets with Secret Manager, see Using Secret Manager with other products .
Hashicorp Vault
Hashicorp Vault is a popular and widely used open source tool for managing secrets. Google Cloud has extensive integrations and support for Vault, along with other Hashicorp tools such as Terraform.
You can configure Vault within your Kubernetes cluster as follows:
Access Vault secrets through the API and authenticate using Workload Identity.
Inject Secrets into your Kubernetes Pods using Vault Agent containers.
Use the Vault CSI Provider to consume those secrets.
What's next
Find out more about Secret Manager best practices.
Read a blog post about security best practices using HashiCorp Vault and Terraform on Google Cloud.