Secret Manager Setup for NextGen Dataplane
NextGen Dataplane Secret Manager Setup
NextGen Dataplane supports multiple secret management options to securely store and access sensitive data such as credentials and API keys. This guide covers the setup for Environment Driven Secrets, AWS Secret Manager, and GCP Secret Manager.
Standard Location for Secret Manager Configuration
- Secrets should be provided in the following standard location for the analysis service and standalone configurations:
/opt/acceldata/secretmanager.json1. Environment Driven Secrets
Environment-driven secrets allow users to configure credentials directly through environment variables. This method is simple and effective for environments where secrets can be securely managed at the OS level.
Steps:
- Prepare the secretmanager.json with following content.
[ { "name": "<User provided secret manager name i.e. secret-manager-environment>", "type": "APP_ENV_VARIABLE_SECRETS_PROVIDER" }]2. AWS Secret Manager
AWS Secret Manager provides a robust solution for managing and retrieving secrets securely. Follow the steps below to set up and configure AWS Secret Manager.
Steps:
a. Create a Secret in AWS Secret Manager. Refer Create an AWS Secret Manager Secret.
b. Prepare the secretmanager.json with following content.
[ { "name": "<User provided secret manager name i.e. secret-manager-aws>", "type": "AWS_SECRETS_MANAGER", "details": { "secretName": "<Secret Name Created in AWS secret manager>", "accessKey": "<AWS Access Key to access secret amanger>", "secretKey": "<AWS Secret Key to access secret amanger>", "region": "<AWS region where secret key created. example us-east-1>" } }]3. GCP Secret Manager
Google Cloud Platform's Secret Manager is another secure option for managing secrets. Follow these steps to set up and configure GCP Secret Manager.
Steps:
a. Create a Secret in GCP Secret Manager. Refer Create a secret.
b. Prepare the secretmanager.json with following content.
[ { "name": "<User provided secret manager name i.e. secret-manager-gcp", "type": "GCP_SECRETS_MANAGER", "details": { "credentialsFile": "/opt/acceldata/gcp_cred.json", "projectId": "<Google project ID i.e. acceldata-project>" } }]c. When using GCP , ADOC have a consistent place for file-driven credentials.
/opt/acceldata/gcp_cred.jsonUpdate the content.
Edit Secret gcp-cred and update with base64 content for key gcp_cred.json and value in base64 format.
kubectl edit secrets gcp-cred -n <namespace>Managing Multiple Secret Managers
If you have multiple secret managers, they can be configured in the same JSON file:
[ { "name": "secret-manager-environment", "type": "APP_ENV_VARIABLE_SECRETS_PROVIDER" }, { "name": "secret-manager-aws", "type": "AWS_SECRETS_MANAGER", "details": { "secretName": "<Secret Name Created in AWS Secret Manager>", "accessKey": "<AWS Access Key>", "secretKey": "<AWS Secret Key>", "region": "<AWS Region (e.g., us-east-1)>" } }, { "name": "secret-manager-gcp", "type": "GCP_SECRETS_MANAGER", "details": { "credentialsFile": "/opt/acceldata/gcp_cred.json", "projectId": "acceldata-acm" } }]Applying Configuration
Edit Secret and update with base64 content for key secretmanager.json and value as base64 content
kubectl edit secret secret-manager -n <namespace>For Automatic Flow:
- Update the deployment config from the UI. Update the resources for analysis and standalone services with the modified values. It is to identify changes and implement
- Save and apply from the UI.
For Manual Flow:
- Update the deployment config from the UI. Update the resources for analysis and standalone services with the modified values. It is to identify changes and implement.
- Apply the patch using the manual HELM upgrade command.
Following the procedures outlined above allows you to securely manage and use secrets in NextGen Dataplane V2 via Environment Driven Secrets, AWS Secret Manager, or GCP Secret Manager. Choose the option that best meets your security needs and infrastructure.