Flipt v2 supports external secrets management, allowing you to store sensitive configuration data like API keys, tokens, and certificates outside of your main configuration files. This enhances security by centralizing secret management and reducing the risk of accidentally exposing sensitive data.

Why Use External Secrets?

Instead of storing sensitive values directly in Flipt configuration files, external secrets provide:
  • Enhanced Security: Sensitive data is stored in dedicated secret management systems with proper access controls
  • Centralized Management: All secrets managed in one place with audit trails and access policies
  • Environment Separation: Different secrets for development, staging, and production environments
  • Rotation Support: Easy secret rotation without updating configuration files (coming soon)
  • Access Control: Fine-grained permissions for who can access which secrets

Supported Providers

Flipt supports multiple secret providers to fit different deployment scenarios:
We’re working on adding support for more secret providers, including AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager.

File Provider

Store secrets in local files - ideal for development and simple deployments

HashiCorp Vault

Enterprise-grade secret management with advanced authentication and access controls

Configuration Overview

Enable secrets management by configuring providers in your Flipt configuration: 
secrets:
  providers:
    # Multiple providers can be configured
    file:
      enabled: true
      base_path: "/etc/flipt/secrets"
    vault:
      enabled: true
      address: "https://vault.company.com"
      auth_method: "token"

File Provider

The file provider is the simplest option, storing secrets in a JSON file in the configured directory.

Configuration

secrets:
  providers:
    file:
      enabled: true
      base_path: "/etc/flipt/secrets" # Default: /etc/flipt/secrets

Usage

Create secret files in the configured directory: 
# Create a JSON file for secrets
echo '{"data": {"api-key": "sk-1234567890abcdef"}}' > /etc/flipt/secrets/secrets.json
Ensure the JSON file is valid and the data key is present.
For secrets that would be invalid JSON such as those that container newlines you can either escape the newlines or base64 encode the secret. 
echo "-----BEGIN PGP PRIVATE KEY BLOCK-----\n\n-----END PGP PRIVATE KEY BLOCK-----\n" | base64 -w 0 > /etc/flipt/secrets/gpg-key.asc

{
  "data": {
    "gpg-key": "{base64 encoded secret}"
  }
}

HashiCorp Vault Provider

Vault provides enterprise-grade secret management with advanced features like dynamic secrets, encryption as a service, and detailed audit logs.

Basic Configuration

secrets:
  providers:
    vault:
      enabled: true
      address: "https://vault.company.com"
      auth_method: "token"
      token: "hvs.your_vault_token"
      mount: "secret" # Default: secret

Authentication Methods

Token Authentication

Best for development and testing: 
vault:
  enabled: true
  address: "https://vault.company.com"
  auth_method: "token"
  token: "hvs.your_vault_token"

Kubernetes Authentication

Ideal for Kubernetes deployments: 
vault:
  enabled: true
  address: "https://vault.company.com"
  auth_method: "kubernetes"
  role: "flipt-role"
  mount: "secret"

AppRole Authentication

Good for automated systems and CI/CD: 
vault:
  enabled: true
  address: "https://vault.company.com"
  auth_method: "approle"
  role: "flipt-role"
  mount: "secret"

Environment Variables

Avoid storing sensitive values in configuration files by using environment variables: 
export FLIPT_SECRETS_PROVIDERS_VAULT_TOKEN="hvs.your_vault_token"
export FLIPT_SECRETS_PROVIDERS_VAULT_ROLE_ID="your_role_id"
export FLIPT_SECRETS_PROVIDERS_VAULT_SECRET_ID="your_secret_id"

Using Secrets

Currently, secrets can only be used with our Commit Signing feature. We are working on adding support for secrets in general configuration.