Skip to content

Secrets Management

Overview

Secrets are sensitive data like passwords, API keys, and certificates. Never commit them to Git!

GitHub Secrets

Adding Secrets to Repository

# Using GitHub CLI
gh secret set DATABASE_URL --repo dine-together/myapp

# Interactive mode (hides input)
gh secret set API_KEY --repo dine-together/myapp

Viewing Secrets

# List secrets (names only)
gh secret list --repo dine-together/myapp

# You cannot view secret values after creation

Using in GitHub Actions

env:
  DATABASE_URL: ${{ secrets.DATABASE_URL }}
  API_KEY: ${{ secrets.API_KEY }}

Kubernetes Secrets

Creating Secrets

# From literal values
kubectl create secret generic app-secrets \
  --from-literal=api-key=your-api-key \
  --from-literal=db-password=your-password \
  --namespace=test-staging

# From file
kubectl create secret generic app-config \
  --from-file=config.json \
  --namespace=test-staging

Using in Deployments

The auto-deployment system handles this automatically, but you can reference secrets in docker-compose.yml:

environment:
  - DATABASE_URL=${DATABASE_URL}
  - API_KEY=${API_KEY}

Best Practices

  1. Rotate Regularly
  2. Change passwords every 90 days

  3. Update API keys periodically

  4. Least Privilege

  5. Only give access to what's needed

  6. Use read-only credentials where possible

  7. Different Per Environment

  8. Staging uses different secrets than production
  9. Never share credentials between environments

Next Steps