Skip to content

Manage Secrets

Create tenant secrets and choose where Kupe should sync them.

For the full schema, see Reference: secrets.

POST /api/v1/tenants/{tenant}/secrets
Terminal window
export KUPE_TENANT="<tenant>"
curl -X POST \
-H "Authorization: Bearer $KUPE_API_KEY" \
-H "Content-Type: application/json" \
"https://api.kupe.cloud/api/v1/tenants/$KUPE_TENANT/secrets" \
-d '{
"name": "db-password",
"secretPath": "production/db-password",
"sync": [
{ "cluster": "production", "namespace": "default" },
{ "cluster": "production", "namespace": "backend", "secretName": "database-credentials" }
]
}'
FieldRequiredDescription
nameYesIdentifier for the managed secret resource (DNS-safe).
secretPathYesPath in the tenant’s vault where the actual secret data lives.
syncNoArray of sync targets. Each target needs cluster and namespace; secretName is optional and overrides the Kubernetes Secret name.

The actual secret values are not part of this request. Today, the Kupe API manages the sync definition rather than the vault data itself.

PATCH replaces the full sync list. To add a new target, fetch the current list, append, and PATCH:

Terminal window
curl -X PATCH \
-H "Authorization: Bearer $KUPE_API_KEY" \
-H "Content-Type: application/json" \
"https://api.kupe.cloud/api/v1/tenants/$KUPE_TENANT/secrets/db-password" \
-d '{
"sync": [
{ "cluster": "production", "namespace": "default" },
{ "cluster": "production", "namespace": "backend", "secretName": "database-credentials" },
{ "cluster": "staging", "namespace": "default" }
]
}'

To remove all sync targets (stops syncing without deleting the secret), pass an empty array:

{ "sync": [] }

Use the If-Match header with the ETag from a prior GET to avoid clobbering concurrent edits — see Scale and upgrade clusters for the optimistic locking pattern.

A GET on the secret returns status.syncStatuses, an array showing the current state of each target cluster/namespace. See Reference: get secret.

Terminal window
curl -X DELETE \
-H "Authorization: Bearer $KUPE_API_KEY" \
"https://api.kupe.cloud/api/v1/tenants/$KUPE_TENANT/secrets/db-password"

This removes the Kupe resource and stops future syncing. The values in the vault are not deleted by this API call, and existing synced Kubernetes secrets are not removed automatically.