Secrets
Secrets are referenced, never stored: pagifier.yaml names where a
secret lives; the platform materializes it into the pod. Secret values
never pass through Pagifier's API, database, or logs.
Environment variables from a secret manager
secrets:
provider: aws # kubernetes | aws | vault | external-secrets
keys:
DATABASE_URL: prod/api/database-url
JWT_SECRET: prod/api/jwt-secret
For every provider except kubernetes, Pagifier renders an
ExternalSecret (External Secrets Operator) that materializes the app's
Kubernetes Secret and keeps it refreshed:
storeRefnames the ClusterSecretStore to read from; it defaults topagifier-<provider>, provisioned by the platform team.refreshIntervalcontrols rotation pickup (default1h). Rotated values reach pods without a redeploy.
The Deployment references the resulting Secret by key, so each keys entry
becomes an environment variable.
With provider: kubernetes, no ExternalSecret is rendered — the Secret
named <app>-secrets is expected to exist in the namespace already.
Secret files
Mount a secret as a file instead of an environment variable:
secretFiles:
firebase.json:
source: vault://secret/firebase
mountPath: /app/firebase.json
Secret files project through the same ExternalSecret and mount read-only at
their mountPath.
Basic-auth users
authentication: basic protects the app with an htpasswd file from a
Kubernetes Secret you control:
authentication:
enabled: true
type: basic
usersSecret: admin-basic-auth # secret with an htpasswd key
What the platform guarantees
- Pods run with no service-account token and a read-only root filesystem; secrets are the only sensitive material inside.
- Secret names and key mappings appear in the resolved config snapshot; secret values never do.
- Rotation is pull-based via the ExternalSecret refresh interval — no Pagifier involvement in the rotation path.