feat: update secret docs and labs (#135)

Author: ferruhcihan

docs/for-devs/console/code-repositories.md

@@ -44,7 +44,7 @@ All registered code repositories of the Team are listed here.
 
 2. Optionally: Select `Private` If the repository in GitHub is private.
 
-3. Optionally: Select a secret that contains the authentication credentials. Only Sealed Secrets of type `basic-auth` and `ssh-auth` will be shown. If no secret is available, then first [create a Sealed Secret](sealed-secrets.md).
+3. Optionally: Select a secret that contains the authentication credentials. Only secrets of type `basic-auth` and `ssh-auth` will be shown. If no secret is available, then first [create a secret](secrets.md).
 
 4. Optionally: Test the connection to see if the authentication credentials are valid and App Platform can use the credentials to access the private repository.
 
@@ -57,7 +57,7 @@ All registered code repositories of the Team are listed here.
 
 2. Optionally: Select `Private` If the repository in GitLab is private.
 
-3. Optionally: Select a secret that contains the authentication credentials. Only Sealed Secrets of type `basic-auth` and `ssh-auth` will be shown. If no secret is available, then first [create a Sealed Secret](sealed-secrets.md).
+3. Optionally: Select a secret that contains the authentication credentials. Only secrets of type `basic-auth` and `ssh-auth` will be shown. If no secret is available, then first [create a secret](secrets.md).
 
 4. Optionally: Test the connection to see if the authentication credentials are valid and App Platform can use the credentials to access the private repository.
 

docs/for-devs/console/overview.md

@@ -19,7 +19,7 @@ Self-service section:
 - [Catalog](catalog.md): The Helm charts available for the Team in the Catalog.
 - [Code Repositories](code-repositories.md): A self-service form to register code repositories to App Platform and use them to create Container Images.
 - [Container Images](container-images.md): A self-service form to create container images from registered Code Repositories.
-- [Sealed Secrets](sealed-secrets.md): A self-service form to create Sealed Secrets.
+- [Secrets](secrets.md): A self-service form to create a secret using Sealed Secrets.
 - [Workloads](workloads.md): A self-service form to create Workloads.
 - [Network Policies](netpols.md): A self-service form to create Network Policies.
 - [Services](services.md): A self-service form to create Services to publicly expose deployed Workloads.

docs/for-devs/console/sealed-secrets.md renamed to docs/for-devs/console/secrets.md

@@ -1,69 +1,46 @@
 ---
 slug: secrets
 title: Team Secrets
-sidebar_label: Sealed Secrets
+sidebar_label: Secrets
 ---
 
-Sealed Secrets are encrypted Kubernetes Secrets. The encrypted secrets are stored in the Values Git repository. When a Sealed Secrets secret is created in the Console, the Kubernetes Secret will appear in the Team's namespace and can be used as you would use any secret that you would have created directly.
+Secrets in the Console are securely encrypted and stored in your Values Git repository using Sealed Secrets. When you create a secret in the Console, it generates a standard Kubernetes Secret in your Team's namespace that can be used like any other Kubernetes secret.
 
-7 types of secrets are supported:
+6 types of secrets are supported:
 
 - Opaque
-- Service Account Token
 - Docker Config
 - Docker Config Json
 - Basic Auth
 - SSH Auth
 - TLS
 
-## Create a Sealed Secret
+## Create a Secret
 
-1. Provide a name for the Sealed Secret. The Kubernetes secret will have the same name.
+1. Provide a name for the Secret. The Kubernetes secret will have the same name.
 
-2. Select `Immutable` if the data of the Sealed Secret (and the Kubernetes secret) can not be updated after the Sealed Secret has been created. When the Sealed Secret is Immutable, only the metadata can be modified after creation.
+2. Select `Immutable` if the data of the secret (and the Kubernetes secret) can not be updated after the secret has been created. When the secret is Immutable, only the metadata can be modified after creation.
 
 3. Select the Type:
 
 ### Opaque secret
 
 Opaque is the default secret type in Kubernetes. Read more about Opaque secrets [here](https://kubernetes.io/docs/concepts/configuration/secret/#opaque-secrets).
 
-4. Add the `Encrypted data`:
+4. Add the `Secret data`:
 
 | Key     | Value                                     | 
 | ------- | ----------------------------------------- |
 | Name of the Key | The value of the data item        |
 
 5. Add more data items if needed.
 
-:::note
-The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster.
-:::
-
-### Service Account Token secret
-
-| Key     | Value                                     | 
-| ------- | ----------------------------------------- |
-| extra   | The token                                 |
-
-See [here](https://kubernetes.io/docs/concepts/configuration/secret/#serviceaccount-token-secrets") for more information about service account token secrets.
-
-You need to ensure that the `kubernetes.io/service-account.name` annotation is set to an existing ServiceAccount name. See the [metadata](#metadata) section for adding annotations.
-
-:::note
-The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster.
-:::
-
 ### Docker Config secret
 
 | Key          | Value                                     | 
 | ------------ | ----------------------------------------- |
 | .dockercfg   | a .dockerconfigjson key for which the value is the content of a base64 encoded `~/.docker/config.json` file |
 
-:::note
-The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster.
-:::
-
 ### Docker Config Json secret
 
 | Key          | Value                                     | 
@@ -95,31 +72,19 @@ password="" # your password, can be token
 kubectl create secret docker-registry --dry-run=client regcred --docker-email=$email --docker-server=$server --docker-username=$username --docker-password=$password -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode
 ```
 
-:::note
-The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster.
-:::
-
 ### Basic Auth secret
 
 | Key          | Value                                     | 
 | ------------ | ----------------------------------------- |
 | username     | a username                                |
 | password     | a password                                |
 
-:::note
-The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster.
-:::
-
 ### SSH Auth secret
 
 | Key          | Value                                     | 
 | ------------ | ----------------------------------------- |
 | ssh-privatekey    | a `ssh-privatekey` key-value pair in the data field as the SSH credential to use |
 
-:::note
-The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster.
-:::
-
 ### TLS secret
 
 
@@ -129,18 +94,18 @@ The secret value will only be visible at the time of creation or once it has bee
 | tls.key | The private key certificate content       |
 
 :::note
-The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster.
+The secret value will only be visible at the time of creation. After creation, the value field will display asterisks `****` to indicate the data is encrypted and cannot be revealed through the interface, though it can be overwritten. To overwrite the secret, click on the lock `🔒` icon next to the value field, enter the new secret value, and click on `Save Changes`.
 :::
 
 
 ## Metadata
 
 Adding metadata is optional.
 
-Add the following standard metadata to the sealed-secret:
+Add the following standard metadata to the secret:
 
+- `Labels`. See [here](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) for more information about labels
 - `Annotations`. See [here](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) for more information about annotations
 - `Finalizers`. See [here](https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/) for more information about finalizers
-- `Labels`. See [here](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) for more information about labels
 
-Click on `+ Add Item` and add a key-value pair.
+Click the corresponding add button (`+Add Labels`, `+Add Annotations` or `+Add Finalizers`) to add key-value pairs.

docs/for-devs/security-best-practices.md

@@ -6,7 +6,7 @@ sidebar_label: Security Best Practices
 
 In addition to the out-of-the-box security capabilities provides by App Platform, it is a responsibility of Teams to keep their applications safe from bad actors. Here is a list of security best-practices Teams should implement:
 
-1. Use [secrets](../for-devs/console/sealed-secrets.md) to secure sensitive data and use a `secretKeyRef` to map an environment variable to the secret data.
+1. Use [secrets](../for-devs/console/secrets.md) to secure sensitive data and use a `secretKeyRef` to map an environment variable to the secret data.
 
 2. Drop `ALL` or specific capabilities in the Pod or container `SecurityContext` to ensure all (unused) capabilities are disabled.
 

docs/for-ops/console/team-admin-overview.md

@@ -13,7 +13,7 @@ Self-service section:
 - [Catalog](team-admin-catalog.md): The Helm charts available for platform administrators to install in any namespace
 - [Code Repositories](team-admin-code-repositories.md): A self-service form for platform administrators to register code repositories.
 - [Container Images](team-admin-container-images.md): A self-service form for platform administrators to create container images from registered code repositories.
-- [Sealed Secrets](team-admin-sealed-secrets.md): A self-service form for platform administrators to create Sealed Secrets.
+- [Secrets](team-admin-secrets.md): A self-service form for platform administrators to create a secret using Sealed Secrets.
 - [Workloads](team-admin-workloads.md): A self-service form to create for platform administrators Workloads in any namespace.
 - [Network Policies](team-admin-netpols.md): A self-service form for platform administrators to create Network Policies (in the `team-admin` namespace only).
 - [Services](team-admin-services.md): A self-service form for platform administrators to create Services to expose endpoints (`ClusterIP` services) from any namespace.

docs/for-ops/console/team-admin-sealed-secrets.md

@@ -0,0 +1,9 @@
+---
+slug: team-admin-secrets
+title: Team Admin Secrets
+sidebar_label: Secrets
+---
+
+The Secrets self-service feature for the Team Admin is the same as for regular teams. Secrets can only be created in the `team-admin` namespace using Sealed Secrets. See [here](../../for-devs/console/secrets.md) for more information about Secrets.
+
+

docs/for-ops/console/team-admin-secrets.md

@@ -0,0 +1,83 @@
+---
+slug: create-secrets
+title: Create Secrets
+sidebar_label: Create Secrets
+---
+
+In this lab we will create a secret using Sealed Secrets and see how to securely store sensitive information in a git repository.
+
+## Creating a Secret
+
+1. Click on the `Secrets` in the sidebar.
+
+2. Click on `Create Secret`. This will take you to the page where you can create a secret.
+
+3. Fill in a name for your secret. In this lab we will use the name `secret-credentials`
+
+4. Select the secret type. In this lab we will create a secret of type `kubernetes.io/opaque`.
+
+5. Click on `+Add another` so you can fill in two key-value pairs
+
+6. In the `Secret data` section. Add the following key-value pairs:
+
+- `key=password value=helloworld`
+- `key=username value=labs-user`
+
+![Create secret](../../img/create-secret.png)
+
+7. Click on `Create Secret`.
+
+:::note
+The secret value will only be visible at the time of creation. After creation, the value field will display asterisks `****` to indicate the data is encrypted and cannot be revealed through the interface, though it can be overwritten. To overwrite the secret, click on the lock `🔒` icon next to the value field, enter the new secret value, and click on `Save Changes`.
+:::
+
+![Created secret](../../img/created-secret.png)
+![Edit secret](../../img/created-secret-edit.png)
+
+## Checking the GIT repository
+
+Now go to Gitea and check the `otomi/values` repository. You will see that under `values/env/teams/<team-name>/sealedsecrets/secret-credentials.yaml` the secret is stored in yaml, but the values are encrypted.
+
+![Repository secret](../../img/repository-secret.png)
+
+## Checking the Kubernetes secret
+
+The only way to see the values of the secret is to decrypt the secret. The secret values are stored as base64 encoded values. In the left menu click on Shell and run the following command:
+
+```bash
+kubectl get secret secret-credentials -o yaml -n team-labs
+```
+
+This wil return the secret in yaml format. The values are stored as base64 encoded values.
+
+```yaml
+apiVersion: v1
+data:
+  password: aGVsbG93b3JsZA==
+  username: bGFicy11c2Vy
+kind: Secret
+metadata:
+  creationTimestamp: '2025-11-11T13:44:16Z'
+  name: secret-credentials
+  namespace: team-labs
+  ownerReferences:
+    - apiVersion: bitnami.com/v1alpha1
+      controller: true
+      kind: SealedSecret
+      name: secret-credentials
+      uid: fc1014f6-0212-49f7-a95d-c4169e053b60
+  resourceVersion: '240057431'
+  uid: b76d6944-fa91-4392-ba4c-80e3e07c7e82
+type: kubernetes.io/opaque
+```
+
+If you want to decode the secret you can use `base64 --decode`. Run the following command:
+
+```bash
+kubectl get secret secret-credentials -n team-labs -o jsonpath="{.data.password}" | base64 --decode
+```
+
+Expected output:
+```
+helloworld
+```

docs/get-started/labs/create-sealed-secrets.md

@@ -32,7 +32,7 @@ Welcome to the Akamai App Platform labs! We recommend reviewing these labs to le
 
 **Create workloads**
 
-### [Create Sealed secrets](create-sealed-secrets.md)
+### [Create secrets](create-secrets.md)
 
 ### [Create Kubernetes resources with Argo CD](using-argo-cd.md)