Due to security reasons, secret content such as credentials is typically not included in the project repository. An administrator usually configures them manually on the specific environments. Similar to other Kubernetes resources, secrets are bound to a specific namespace.

If a project requires multiple secrets, for example, specific credentials for various external systems, manually configuring them can become cumbersome and difficult to keep track of. Configured secrets have to be documented and tracked in a secure form, external to the project repository.

Another approach is to store encrypted credentials that can be decrypted using a single master key in the repository. The repository can therefore safely contain the configured credentials, in encrypted form, and still be safe from disclosing the secrets. The running application will use the dynamically provided master key to decrypt the configured credentials. This approach provides security as well as manageability.

Let's look at a potential solution. Encrypted configuration values can safely be stored in Kubernetes config maps, since the decrypted values will only be visible to the container process. The project can define the encrypted credentials together with other configuration values in the config maps definitions as code. An administrator adds a secret to each environment, containing the master key which was used to symmetrically encrypt the credentials. This master key is provided to the running container, for example, using environment variables as seen earlier. The running application uses this single environment variable to decrypt all encrypted credential values.

Depending on the used technology and algorithm, one solution is to use the Java EE application to decrypt the credentials directly when loading properties files. To provide a secure solution using recent encryption algorithms, the Java Cryptographic Extensions (JCE) should be installed in the runtime. Another approach is to decrypt the values before the application is being deployed.