Secrets Management¶
Use secrets for all sensitive values and keep them out of workflow YAML.
Secret Types¶
- Platform secrets (JWT keys, admin bootstrap credentials).
- Connection secrets (API keys, OAuth client secrets, passwords).
- Runtime service tokens (reload/invocation/internal auth).
Recommended Practice¶
- Store secrets in Kubernetes Secrets or an external secret manager.
- Reference secret names in connections, do not inline values.
- Rotate secrets on schedule and after incident events.
Basic Kubernetes Pattern¶
kubectl create secret generic meshflows-secrets \
--from-literal=IDENTITY_JWT_SECRET=<value> \
--namespace meshflows
Validation¶
- Ensure pods receive expected env vars.
- Confirm traces/logs mask sensitive headers and values.
- Test credential-dependent workflows after each rotation.