SYS-120: Add documentation for secrets management

brightsparklabs · Feb 6, 2025 · 440d601 · 440d601
1 parent cd24ba0
commit 440d601
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ The changelog is applicable from version `1.0.0` onwards.
 ### Added
 
 - AF-258: Add `--preset` options for `configure init`.
+- SYS-120: Add doco for handling secrets.
 
 ### Changed
 

diff --git a/README.md b/README.md
@@ -392,6 +392,25 @@ foo.yaml                     # -> Config-file ; Copy-on-apply
 foo.yaml.appcli.schema.json  # -> Schema-file ; Ignore-on-apply
 ```
 
+### Secrets management
+
+Sensitive values can be encrypted inside the `settings.yml` file and then decrypted during deployment.
+
+```bash
+# Automatically encrypt and set.
+./myapp configure set -e "path.to.field" "my-secret-value"
+
+# Manually encrypt and set.
+./myapp encrypt "my-secret-value" # Returns `enc:id=X:....`
+./myapp configure edit # Set the above value to the field.
+```
+
+Any secret values set will be automatically decrypted by APPCLI (using the `conf/key` key)
+to temporary files just before deployment.
+
+NOTE: Secret management is currently not available for the `HelmOrchestrator`.
+Any secret objects should be pre-loaded in the kubernetes cluster.
+
 ## Configure application backup
 
 Appcli's `backup` command creates backups of configuration and data of an application, stored
@@ -963,7 +982,7 @@ usage: `./myapp configure [OPTIONS] COMMAND [ARGS]`
 | get        | Reads a setting from the configuration.                                                                                   |
 | get-secure | Reads a setting from the configuration, decrypting if it is encrypted. This will prompt for the setting key.              |
 | init       | Initialises the configuration directory.                                                                                  |
-| set        | Saves a setting to the configuration. Allows setting the type of value with option `--type`, and defaults to string type. |
+| set        | Saves a setting to the configuration. Allows setting the type of value with option `--type`, and defaults to string type. Use `-e` to encrypt the value when setting. |
 | template   | Configures the baseline templates.                                                                                        |
 | edit       | Open the settings file for editing with vim-tiny.                                                                         |