Move k8s variables to secrets manager

[mlissner]

I'm not sure how to do this, but we should figure it out so that our secrets are more secure.

[blancoramiro]

Just leaving an update here until we start moving the variables into AWS' secret manager.

External secrets operator is now deployed in the court-listener cluster. The documentation is located here

And here is the current configuration.

[mlissner]

Thanks for the great docs. Do you need changes on the application side?

[blancoramiro]

No changes to the app itself only to the k8s yaml files.

For the deployments to start using secrets from the secrets manager we would need to:

• Create the secret in AWS secret manager with all the variables.
• Delete the current secret in the cluster.
• Create the ExternalSecret resource using the yaml files, apply it and wait for the operator to create the secret again.

The only possible issue might be that if any pod get scheduled while the secret is not yet re-created, it won't be scheduled.

[blancoramiro]

@mlissner Found the following secrets set up in the cluster but they are missing in the repo.

Do you think they should be added to the new secret stored in the secrets manager?

Secrets present in cl-env but not on the repo:

• BULK_DATA_DIR
• CELERY_ETL_TASKS_QUEUE
• ELASTIC_SERCSHARDS
• MAILCHIMP_API_KEY
• MAILCHIMP_SECRET
• MOOSEND_API_KEY

Secrets present in bots-env but not on the repo:

• MASTODON_TOKEN
• TWITTER_ACCESS_TOKEN
• TWITTER_ACCESS_TOKEN_SECRET

Thank you!

[mlissner]

All of the variables in cl-env aren't important. They're outdated or typos.

All of the variables in bots-env are the opposite. They are important and need to be preserved.

Good catches.

[blancoramiro]

Hello @mlissner . I think we are good to close this issue.

New secrets for Courtlistner and Bots.law have been in place for some time and no issues have been reported.

Documentation related to the external secrets operator and how secrets are now handled is here

Thank you!