Secrets

Kupe Cloud includes built-in secret management, so teams can store sensitive values once and sync them into one or more clusters without putting raw secrets in Git, CI config, or ad-hoc shell history.

The model

Secrets in Kupe Cloud have two parts:

• Storage in a tenant-isolated platform vault
• Delivery into Kubernetes Secret objects in the clusters and namespaces you choose

That means your team manages the source of truth in the platform, while workloads still consume standard Kubernetes secrets in-cluster.

How it works

Secrets are stored in a dedicated, isolated vault that we manage for you. Each tenant gets its own isolated vault namespace.

When you create or update a secret:

1. The value is stored in the platform vault.
2. You choose the clusters and namespaces that should receive it.
3. Kupe syncs the secret into those targets as a native Kubernetes Secret.
4. Your workloads consume it like any other Kubernetes secret.

Updates are continuous. If you change a value in the console, the synced copies update in the configured targets automatically.

Tenant isolation

Every tenant’s secrets are stored in a dedicated, isolated vault namespace.

In practice, that gives you:

• Tenant separation — your secret data is not mixed with another tenant’s secret store
• Scoped access paths — access is tied to tenant-scoped platform identity and sync flows
• Encrypted storage — secret data is encrypted before it is written to storage

Sync rules

Secrets are delivered only where you tell the platform to send them.

• A secret only reaches the clusters you configure.
• Each sync target includes both a cluster and a namespace.
• Updating a secret updates its synced copies.
• Removing a sync target stops future sync to that target.
• Deleting a secret removes it from the platform store, not from already-created Kubernetes secrets.

Caution

Deleting a secret in the console deletes the platform copy only. If that secret was already synced into clusters, those Kubernetes Secret objects remain until you remove them separately.

What your workloads receive

Kupe creates a standard Kubernetes Secret of type Opaque in the target namespace. The secret name matches the name you chose in the console, and every key you define becomes a data entry in that secret.

Your workloads use it the same way they would any other Kubernetes secret.

As an environment variable:

env:
  - name: DATABASE_URL
    valueFrom:
      secretKeyRef:
        name: db-credentials
        key: url

Or as a mounted volume:

volumes:
  - name: creds
    secret:
      secretName: db-credentials

Practical limits

• Secret values are limited to 1 MB per key
• A tenant can create up to 1,000 secrets
• A secret can sync to any number of clusters

Related pages

• Create and Sync Secrets
• Concepts
• Limits