From 5d29aff2b1f11a160417c03484fafde971bc309c Mon Sep 17 00:00:00 2001 From: rahulshendre Date: Tue, 6 Jan 2026 22:06:44 +0530 Subject: [PATCH 1/3] ADD managingApp/secret-management Signed-off-by: rahulshendre --- .../managing-application/secret-management.md | 124 ++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 docs/content/en/docs-v1.0.x/user-guide/managing-application/secret-management.md diff --git a/docs/content/en/docs-v1.0.x/user-guide/managing-application/secret-management.md b/docs/content/en/docs-v1.0.x/user-guide/managing-application/secret-management.md new file mode 100644 index 0000000000..5aa6100e53 --- /dev/null +++ b/docs/content/en/docs-v1.0.x/user-guide/managing-application/secret-management.md @@ -0,0 +1,124 @@ +--- +title: "Secret management" +linkTitle: "Secret management" +weight: 9 +description: > + Storing secrets safely in the Git repository. +--- + +When doing GitOps, you want to use Git as a single source of truth. However, storing credentials like Kubernetes Secrets or Terraform credentials directly in Git is not safe. + +This feature allows you to keep sensitive information safely in Git, right next to your application manifests. + +The basic flow works as follows: + +- You encrypt your secret data via PipeCD's Web UI and store the encrypted data in Git +- `piped` decrypts them before performing deployment tasks + +## Prerequisites + +Before using this feature, `piped` needs to be started with a key pair for secret encryption. + +You can use the following command to generate a key pair: + +``` console +openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private-key +openssl pkey -in private-key -pubout -out public-key +``` + +Then specify them while [installing](../../../installation/install-piped/installing-on-kubernetes) `piped` with these options: + +``` console +--set-file secret.data.secret-public-key=PATH_TO_PUBLIC_KEY_FILE \ +--set-file secret.data.secret-private-key=PATH_TO_PRIVATE_KEY_FILE +``` + +Finally, enable this feature in the Piped configuration file with the `secretManagement` field as below: + +``` yaml +apiVersion: pipecd.dev/v1beta1 +kind: Piped +spec: + pipedID: your-piped-id + ... + secretManagement: + type: KEY_PAIR + config: + privateKeyFile: /etc/piped-secret/secret-private-key + publicKeyFile: /etc/piped-secret/secret-public-key +``` + +## Encrypting secret data + +To encrypt secret data, navigate to the Applications page and click the "Encrypt Secret" button located in the top-left corner. Then, select a piped from the dropdown list, enter your secret data, and click the "ENCRYPT" button. +The encrypted data is displayed for you. Copy it to store in Git. + +![Sealed Secret Button](/images/sealed-secret-button.png) +

+Applications page +

+ +
+ +![Sealed Secret Encrypting Drawer Form](/images/sealed-secret-encrypting-drawer-form.png) +

+The form for encrypting secret data +

+ +## Storing encrypted secrets in Git + +To make encrypted secrets available to an application, specify them in the application configuration file of that application. + +- `encryptedSecrets` contains a list of the encrypted secrets. +- `decryptionTargets` contains a list of files that use one of the encrypted secrets and should be decrypted by `piped`. + +``` yaml +apiVersion: pipecd.dev/v1beta1 +# One of Piped defined app, for example: using the Kubernetes plugin +kind: Application +spec: + encryption: + encryptedSecrets: + password: encrypted-data + decryptionTargets: + - secret.yaml +``` + +## Accessing encrypted secrets + +Any file in the application directory can use the `.encryptedSecrets` context to access secrets you have encrypted and stored in the application configuration. + +For example: + +- Accessing by a Kubernetes Secret manifest + +``` yaml +apiVersion: v1 +kind: Secret +metadata: + name: simple-sealed-secret +data: + password: "{{ .encryptedSecrets.password }}" +``` + +- Configuring an ENV variable of a Lambda function to use an encrypted secret + +``` yaml +apiVersion: pipecd.dev/v1beta1 +kind: LambdaFunction +spec: + name: HelloFunction + environments: + KEY: "{{ .encryptedSecrets.key }}" +``` + +In all cases, `piped` decrypts the encrypted secrets and renders the decryption target files before using them to handle any deployment tasks. + + + From 114aaa6e8faeb767fada38d2f3528be5d11c8711 Mon Sep 17 00:00:00 2001 From: rahulshendre Date: Sun, 11 Jan 2026 12:16:53 +0530 Subject: [PATCH 2/3] Enchance wording Signed-off-by: rahulshendre --- .../managing-application/secret-management.md | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/docs/content/en/docs-v1.0.x/user-guide/managing-application/secret-management.md b/docs/content/en/docs-v1.0.x/user-guide/managing-application/secret-management.md index 5aa6100e53..dd0ffe7294 100644 --- a/docs/content/en/docs-v1.0.x/user-guide/managing-application/secret-management.md +++ b/docs/content/en/docs-v1.0.x/user-guide/managing-application/secret-management.md @@ -6,14 +6,9 @@ description: > Storing secrets safely in the Git repository. --- -When doing GitOps, you want to use Git as a single source of truth. However, storing credentials like Kubernetes Secrets or Terraform credentials directly in Git is not safe. +GitOps workflows use Git as the single source of truth for application configurations. Storing sensitive data such as credentials, API keys, and secrets directly in Git repositories poses security risks. -This feature allows you to keep sensitive information safely in Git, right next to your application manifests. - -The basic flow works as follows: - -- You encrypt your secret data via PipeCD's Web UI and store the encrypted data in Git -- `piped` decrypts them before performing deployment tasks +PipeCD's secret management feature allows you to store encrypted secrets in your Git repository alongside application manifests. The encrypted secrets are decrypted by `piped` during deployment operations. ## Prerequisites @@ -48,10 +43,17 @@ spec: publicKeyFile: /etc/piped-secret/secret-public-key ``` +## How it works + +The secret management workflow is as follows: + +- Encrypt secret data using PipeCD's Web UI and store the encrypted data in Git +- `piped` automatically decrypts the encrypted secrets before performing deployment tasks + ## Encrypting secret data To encrypt secret data, navigate to the Applications page and click the "Encrypt Secret" button located in the top-left corner. Then, select a piped from the dropdown list, enter your secret data, and click the "ENCRYPT" button. -The encrypted data is displayed for you. Copy it to store in Git. +Copy the encrypted data to store in Git. ![Sealed Secret Button](/images/sealed-secret-button.png)

@@ -67,7 +69,7 @@ The form for encrypting secret data ## Storing encrypted secrets in Git -To make encrypted secrets available to an application, specify them in the application configuration file of that application. +To make encrypted secrets available to an application, specify them in the application configuration file. - `encryptedSecrets` contains a list of the encrypted secrets. - `decryptionTargets` contains a list of files that use one of the encrypted secrets and should be decrypted by `piped`. From 296ffb0b01d6fb5f6dd852d5213945a9b18705a5 Mon Sep 17 00:00:00 2001 From: rahulshendre Date: Mon, 12 Jan 2026 23:05:30 +0530 Subject: [PATCH 3/3] removed lambda fuction Signed-off-by: rahulshendre --- .../managing-application/secret-management.md | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/docs/content/en/docs-v1.0.x/user-guide/managing-application/secret-management.md b/docs/content/en/docs-v1.0.x/user-guide/managing-application/secret-management.md index dd0ffe7294..42c8b04bfd 100644 --- a/docs/content/en/docs-v1.0.x/user-guide/managing-application/secret-management.md +++ b/docs/content/en/docs-v1.0.x/user-guide/managing-application/secret-management.md @@ -103,24 +103,12 @@ data: password: "{{ .encryptedSecrets.password }}" ``` -- Configuring an ENV variable of a Lambda function to use an encrypted secret - -``` yaml -apiVersion: pipecd.dev/v1beta1 -kind: LambdaFunction -spec: - name: HelloFunction - environments: - KEY: "{{ .encryptedSecrets.key }}" -``` - In all cases, `piped` decrypts the encrypted secrets and renders the decryption target files before using them to handle any deployment tasks.