You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/reference/secrets.md
+25-4Lines changed: 25 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -73,7 +73,7 @@ functions:
73
73
- database-connections
74
74
```
75
75
76
-
## Example of using a secret
76
+
## How to consume a secret
77
77
78
78
Create a new function with the `python3-http` template:
79
79
@@ -170,8 +170,29 @@ HTTP/2 200
170
170
Hello from OpenFaaS
171
171
```
172
172
173
-
## Secrets and Infrastructure as Code (IaaC)
173
+
## How to update a secret
174
174
175
-
You can manage secrets through Git repositories using the [SealedSecrets project from Bitnami](https://github.com/bitnami-labs/sealed-secrets). This approach enables GitOps or Infrastructure as Code (IaaC) - a public key is used to encrypt your secret files and literal values, which is then decrypted by a controller in the cluster using a separate private key.
175
+
If you need to update a secret for a function, you can use the `faas-cli secret update` command:
176
+
177
+
```bash
178
+
faas-cli secret update protected-api-token \
179
+
--from-file=protected-api-token.txt
180
+
```
181
+
182
+
The kubelet component of Kubernetes monitors changes in secrets and updates the contents of the files mounted into any Function Pods. It can take anywhere between a few seconds and minutes for new secrets to be rolled out by the kubelet, there is no way to speed this up this process, other than restarting the Deployment or Pod for the Function, which is not recommended.
183
+
184
+
For faasd users, the file will be updated immediately.
185
+
186
+
In order to take advantage of update secrets, you should either:
187
+
188
+
* Read the secret from disk every time you require it
189
+
* Use an fsnotify library to watch for changes, and re-read the secret at that time.
190
+
191
+
## Automated secrets
192
+
193
+
There are various options for managing secrets in a more automated way, such as:
194
+
195
+
You can manage secrets through Git repositories using the [SealedSecrets project from Bitnami](https://github.com/bitnami-labs/sealed-secrets). This approach enables GitOps or Infrastructure as Code (IaaC) - a public key is used to encrypt your secret files and literal values, which is then decrypted by a controller in the cluster using a separate private key. The [SOPS project](https://github.com/getsops/sops) originally created by Mozilla provides an alterantive to SealedSecrets and can also be used to encrypt secrets for storage in Git.
196
+
197
+
Another popular option is to use AWS Secrets Manager, Hashicorp Vault directly, or a cloud-based keystore using the Open Source [External Secrets Operator](https://external-secrets.io/latest/). The External Secrets Operator will read secrets from cloud-based key stores and inject them into Kubernetes secrets, which can then be used as normal by functions.
176
198
177
-
Another popular option is to use AWS Secrets Manager, without Git with the open source [External Secrets Operator](https://external-secrets.io/latest/).
0 commit comments