Secret

Secrets providers resolve structured secret refs before the rest of the server starts. That lets provider config, OAuth app secrets, DSNs, and other sensitive values stay out of the main YAML file while still being injected into the final runtime config.

Built-in vs external secret managers

Two simple secret managers are built into gestaltd:

Cloud or vault-backed secret managers are external providers published from valon-technologies/gestalt-providers/secrets.

Configuring built-in providers

Use environment variables:

providers:
  secrets:
    default:
      source: env
      config:
        prefix: GESTALT_
 
server:
  encryptionKey:
    secret:
      provider: default
      name: GESTALT_ENCRYPTION_KEY

Or use a directory of mounted files:

providers:
  secrets:
    default:
      source: file
      config:
        dir: /run/secrets

Configuring external secret providers

providers:
  secrets:
    google:
      source: https://artifacts.example.com/secrets/google/v0.0.1-alpha.1/provider-release.yaml
      config:
        project: my-gcp-project

The configured provider resolves each structured secret ref before any auth provider, plugin provider, or datastore provider receives its config.

First-party external secret providers

See each provider directory for its config schema and backend-specific settings.

Building your own secrets provider

Implementation details for custom secrets providers now live under Custom Providers > Secret.

What to read next

• Configuration: using structured secret refs across the server config
• Built-in Providers: built-in env and file
• Custom Secret: advanced authoring docs