Secrets and Parameters
Greyhound never acts as a long-term secrets store. The only credentials it issues are short-lived, internally generated tokens that exist just long enough to orchestrate an environment. Everything else must originate from the underlying Kubernetes cluster or the cloud provider's secret and configuration services.
When designing an application definition, decide which category each value falls into and place it in the appropriate provider. The platform ensures these providers handle encryption at rest and in flight. CSI volumes can project the values as files into a pod; environment variables remain in memory only.
Classification Matrix
| Category | Typical Examples | Source of Truth | Delivery Mechanism | Notes |
|---|---|---|---|---|
| Hard secrets | Database passwords, encryption keys, PCI artifacts, PII/PHI assets | Secrets Manager (AWS Secrets Manager, GCP Secret Manager, etc.) | CSI SecretProviderClass mounted as files | Highest sensitivity; these should never be committed to git or emitted as environment variables. |
| Soft secrets | Third-party API keys, passwords, OAuth tokens, webhook credentials | Secrets Manager or Parameter Store | CSI SecretProviderClass mounted as files or injected at runtime | Rotate on the provider side; keep scope and TTL narrow. |
| Parameters | Feature flags, configuration toggles, magic values, endpoint URLs | Parameter Store (e.g. AWS SSM) or ConfigMaps | Mounted as files or exposed via env vars by the runtime | Immutable parameters fit well in ConfigMaps; mutable values prefer Parameter Store. |
| Environment variables | Runtime copies of parameter values or plaintext strings | Same provider as the backing parameter | Exported into the container environment | Use only for non-secret configuration; these are checked in to your repository so they could even be public. |
Usage Guidance
- Provision and rotate sensitive material in your cloud provider; greyhound references those entries but never stores the payload.
- Prefer CSI SecretProviderClass projections for pods. They keep credentials on the node filesystem and out of deployment specs.
- For builds, jobs, and services, reference secret providers rather than embedding literal values. Inline
secretsexist only for low-sensitivity defaults during development. - Treat environment variables as a delivery convenience, not a storage mechanism. Source them from Parameter Store or ConfigMaps and scope their usage to the minimum necessary process.
- All providers supported by greyhound enforce encryption at rest and TLS in flight. Mounts render readable files only within the target container's namespace.
For schema-level details see: