Application Secrets
Konstruct uses External Secrets Operator (ESO) to help your applications access cloud secrets securely.
How It Works
When you create a workload cluster in Konstruct, it automatically sets up permissions to read secrets from your cloud provider. The cluster can access:
- AWS Secrets Manager: secrets under
{cluster-name}/* - AWS Systems Manager Parameter Store: parameters under
/{cluster-name}/*
Creating Secrets
- Go to your cloud provider's console (AWS Secrets Manager or Systems Manager)
- Create secrets using the naming convention:
{cluster-name}/your-secret-path - Your applications can now reference these secrets through External Secrets
Example
For a cluster named staging-cluster:
- Create a secret in AWS Secrets Manager named
staging-cluster/database-password - In your application, create an External Secret that references this secret
- ESO will automatically sync the secret to your Kubernetes cluster
Security
Each cluster only has permission to read secrets that match its name prefix. This ensures workload isolation - clusters cannot access secrets from other clusters. To further refine this posture for your organization, you can adjust your ESO service account IAM permissions at https://github.com/{gh-org}/{konstruct-org-name}-gitops/blob/main/terraform/aws/modules/workload-cluster/main.tf
What's Next?
- Learn more about External Secrets Operator
- Register your first application with Konstruct and add an external secret to your automatically created helm chart