Skip to content

Secrets Management

Use secrets for all sensitive values and keep them out of workflow YAML.

Secret Types

  • Platform secrets (JWT keys, admin bootstrap credentials).
  • Connection secrets (API keys, OAuth client secrets, passwords).
  • Runtime service tokens (reload/invocation/internal auth).
  • Store secrets in Kubernetes Secrets or an external secret manager.
  • Reference secret names in connections, do not inline values.
  • Rotate secrets on schedule and after incident events.

Basic Kubernetes Pattern

kubectl create secret generic meshflows-secrets \
    --from-literal=IDENTITY_JWT_SECRET=<value> \
    --namespace meshflows

Validation

  • Ensure pods receive expected env vars.
  • Confirm traces/logs mask sensitive headers and values.
  • Test credential-dependent workflows after each rotation.