Secrets Paths
Security reference pages are precise for a reason. Treat changes here as trust-boundary changes, not routine config tweaks.
This page shows where runtime and platform secrets are stored and how they end up inside the cluster.
All application secrets are stored in AWS Secrets Manager in eu-central-1.
They are pulled into the cluster by the External Secrets Operator (ESO), which is the controller that copies secrets from AWS into Kubernetes.
Path Convention
All secrets follow the pattern crawbl/{environment}/{scope}/{name}.
Secret Paths
| AWS SM Path | K8s Secret Created | Namespace |
|---|---|---|
crawbl/dev/backend/orchestrator | orchestrator-vault-secrets | backend |
crawbl/dev/backend/postgresql | backend-postgresql-auth | backend |
crawbl/dev/backend/redis | backend-redis-auth | backend |
crawbl/dev/infra/cloudflare | cloudflare-api-token | cert-manager |
crawbl/dev/runtime/openai | runtime-openai-secrets | userswarms |
crawbl/dev/edge/hmac | hmac-wasm-config | envoy-gateway-system |
Notable Keys
| Secret path | Example keys |
|---|---|
crawbl/dev/backend/orchestrator | CRAWBL_MCP_SIGNING_KEY, database and Redis credentials, Firebase-related values |
crawbl/dev/backend/postgresql | postgres-password, password |
crawbl/dev/runtime/openai | OPENAI_API_KEY |
crawbl/dev/infra/cloudflare | api-token |
crawbl/dev/edge/hmac | hmac_secret, environment |
Bootstrap Dependency
Pulumi creates the bootstrap aws-credentials Secret in the external-secrets namespace.
That is the one initial AWS credential ESO needs so it can fetch the rest of the secrets.
Rotation Procedure
Follow this flow when rotating a secret:
Update the value
Change the secret in AWS Secrets Manager first, because ESO only mirrors what is already stored there.
Re-sync the ExternalSecret
Re-sync the matching ExternalSecret so the Kubernetes Secret picks up the new value.
kubectl annotate externalsecret orchestrator-secrets \
-n backend force-sync=$(date +%s) --overwrite
Restart consumers if needed
Restart workloads that only read the value at startup, such as the orchestrator.
kubectl rollout restart deployment/orchestrator -n backend
ESO Flow
🔗 Terms On This Page
If a term below is unfamiliar, open its glossary entry. For the full list, go to Internal Glossary.
- AWS Secrets Manager: The AWS service that stores shared secret values before they are copied into Kubernetes.
- External Secrets Operator: The controller that copies secrets from AWS Secrets Manager into Kubernetes Secrets.
- Pulumi: The infrastructure-as-code tool that creates the cluster and foundational platform resources.