I have a config that contains a mixture of secret and non-secret data. For some reason I can't use environment variables to reference the secret data. I want to check my config into source control, keep my secret data secure, and keep my non-secret data easily readable and editable.
Use a ConfigMapSecret which is safe to store in source control. It's like a ConfigMap that includes your non-secret data, but it can reference Secret variables, similar to how container args can reference env variables. The controller will expand and render it into a Secret in the same namespace, keeping it updated to reflect changes to the ConfigMapSecret or its referenced variables.
Use SealedSecrets to keep your referenced Secret data secure.
kubectl apply -f manifest/*.yaml apiVersion: secrets.mz.com/v1alpha1 kind: ConfigMapSecret metadata: name: alertmanager-config namespace: monitoring labels: app: alertmanager spec: template: metadata: # optional: name defaults to same as ConfigMapSecret name: alertmanager-config labels: app: alertmanager data: alertmanager.yaml: | global: resolve_timeout: 5m opsgenie_api_key: $(OPSGENIE_API_KEY) slack_api_url: $(SLACK_API_URL) route: receiver: default group_by: ["alertname", "job", "team"] group_wait: 30s group_interval: 5m repeat_interval: 12h routes: - receiver: foobar-sre match: team: foobar-sre - receiver: widget-sre match: team: widget-sre receivers: - name: default slack_configs: - channel: unrouted-alerts - name: foobar-sre opsgenie_configs: - responders: - name: foobar-sre type: team slack_configs: - channel: foobar-sre-alerts - name: widget-sre opsgenie_configs: - responders: - name: widget-sre type: team slack_configs: - channel: widget-sre vars: - name: OPSGENIE_API_KEY secretValue: name: alertmanager-keys key: opsgenieKey - name: SLACK_API_URL secretValue: name: alertmanager-keys key: slackURL --- apiVersion: v1 kind: Secret metadata: name: alertmanager-keys namespace: monitoring labels: app: alertmanager stringData: opsgenieKey: 9eccf784-bbad-11e9-9cb5-2a2ae2dbcce4 slackURL: https://hooks.slack.com/services/EFNPN1/EVU44X/J51NVTYSKwuPtCz3 type: OpaqueapiVersion: v1 kind: Secret metadata: name: alertmanager-config namespace: monitoring labels: app: alertmanager stringData: alertmanager.yaml: | global: resolve_timeout: 5m opsgenie_api_key: 9eccf784-bbad-11e9-9cb5-2a2ae2dbcce4 slack_api_url: https://hooks.slack.com/services/EFNPN1/EVU44X/J51NVTYSKwuPtCz3 route: receiver: default group_by: ["alertname", "job", "team"] group_wait: 30s group_interval: 5m repeat_interval: 12h routes: - receiver: foobar-sre match: team: foobar-sre - receiver: widget-sre match: team: widget-sre receivers: - name: default slack_configs: - channel: unrouted-alerts - name: foobar-sre opsgenie_configs: - responders: - name: foobar-sre type: team slack_configs: - channel: foobar-sre - name: widget-sre opsgenie_configs: - responders: - name: widget-sre type: team slack_configs: - channel: widget-sre type: Opaque