Secrets and Secret Providers

Greyhound integrates with AWS Secrets Manager and Kubernetes secrets to provide secure credential delivery to your workloads. greyhound never stores secrets — it references them from your cloud provider.

Secret Providers (CSI)

The recommended approach for sensitive credentials is CSI SecretProviderClass. This mounts secrets as files inside your pod without exposing them in deployment specs:

secretproviders:
  - name: db-creds-provider
    region: us-east-1
    secretObjects:
      - secretName: db-credentials
        secretObjectProviderType: secretsmanager
        type: kubernetes.io/basic-auth
        objectName: prod/myapp/db

Services and jobs can then reference these secrets:

services:
  - name: api
    image_from_build: api-build
    secrets:
      - secretName: db-credentials
        secretObjectProviderType: secretsmanager
        type: kubernetes.io/basic-auth
        objectName: prod/myapp/db

Kubernetes Secrets

For lower-sensitivity values, you can use standard Kubernetes secrets referenced via valueFrom:

services:
  - name: api
    env:
      - name: API_KEY
        valueFrom:
          secretKeyRef:
            name: my-secret
            key: api-key

Choosing the Right Approach

See the Secrets and Parameters guide for a classification matrix to help you decide between Secrets Manager, Parameter Store, ConfigMaps, and environment variables.

Secret Providers (CSI)​

Kubernetes Secrets​

Choosing the Right Approach​

Schema Reference​

Secret Providers (CSI)

Kubernetes Secrets

Choosing the Right Approach

Schema Reference