secrets: now in console (#607)

secrets: replace with Console

This marks Console as the preferred way to manage user-defined workload secrets on NAIS.

Author: tronghn

docs/explanation/secrets.md

@@ -0,0 +1,25 @@
+# Secrets
+
+A secret is a piece of sensitive information that is used in a [workload](workloads/README.md).
+This can be a password, an API key, or any other information that should not be exposed to the public.
+
+Secrets are kept separate from the codebase and configuration files that are usually stored in version control.
+
+There are two types of secrets on the NAIS platform:
+
+- **Platform-provided secrets** are provisioned and managed by the platform.
+
+    These typically contain credentials used for integrating with services that NAIS supports, such as databases, Kafka and so on.
+
+    You will generally not deal with these secrets as their values are automatically made available to your workloads at runtime.
+
+- **User-defined secrets** are managed by you and your [team](team.md).
+
+    These are typically used for integrating with third-party services or APIs that are not provided by NAIS, such as Slack or GitHub.
+
+    User-defined secrets can also be used to store sensitive information specific to your application, such as encryption keys or other private configuration.
+
+## What's next?
+
+- Create a secret and use it in your workload in the [how-to guide](../how-to-guides/secrets.md)
+- Find more technical information on the [reference page](../reference/secrets.md)

docs/how-to-guides/secrets.md

@@ -0,0 +1,45 @@
+# Secrets
+
+This how-to guide shows you how to create a [secret](../explanation/secrets.md) and use it in your [workload](../explanation/workloads/README.md).
+
+## 0. Prerequisites
+
+- You're part of a [NAIS team](./team.md)
+- A Github repository where the NAIS team has access
+- The repository contains a valid workload manifest (`nais.yaml`)
+
+## 1. Create a secret
+
+1. Open [NAIS console](https://console.<<tenant()>>.cloud.nais.io) in your browser and select your team
+2. Select the `Secrets` tab
+3. Click `Create Secret` for the environment you want to create the secret in
+4. Choose a **name** for your secret and click `Create`
+5. Add a key-value pair to your newly created secret
+
+## 2. Use the secret in your workload
+
+1. Add a reference to the secret in the workload's `nais.yaml` manifest.
+
+    For a secret named `cool-cat`, the manifest should contain these additional lines:
+
+    ```yaml title="nais.yaml" hl_lines="2-3"
+    spec:
+      envFrom:
+        - secret: cool-cat
+    ```
+
+    The `Copy manifest` button in NAIS Console generates a snippet equivalent to the above.
+
+2. Commit and push the changes to version control, and deploy your workload as usual.
+
+All key-value pairs in the secret are now available in your workload's runtime as environment variables.
+
+## 3. Update the secret
+
+Add, edit, or delete key-value pairs in the secret in Console as desired.
+
+Any changes to the secret will automatically be picked up by your workload, as long as the manifest still references the secret.
+
+## Further reading
+
+See the [reference](../reference/secrets.md#workloads) for additional ways of using secrets in your workload.

docs/reference/secrets.md

@@ -0,0 +1,39 @@
+# Secrets
+
+This is the reference documentation for [secrets](../explanation/secrets.md) on the NAIS platform.
+
+## Console
+
+Find and manage your team's user-defined secrets in the [NAIS Console](https://console.<<tenant()>>.cloud.nais.io).
+
+## Workloads
+
+Use a secret in your [workload](../explanation/workloads/README.md) by referencing them in your `nais.yaml` manifest.
+The secret can be made available as environment variables, files, or both.
+
+### Environment Variables
+
+```yaml
+spec:
+  envFrom:
+    - secret: <secret-name>
+```
+
+See the workload references for more information:
+
+- [Application](../reference/application-spec.md#envfromsecret)
+- [NaisJob](../reference/naisjob-spec.md#envfromsecret)
+
+### Files
+
+```yaml
+spec:
+  filesFrom:
+    - secret: <secret-name>
+      mountPath: /var/run/secrets/<secret-name>
+```
+
+See the workload references for more information:
+
+- [Application](../reference/application-spec.md#filesfromsecret)
+- [NaisJob](../reference/naisjob-spec.md#filesfromsecret)

docs/security/README.md

@@ -112,17 +112,10 @@ provided by NAIS:
 
 #### Secrets
 
-NAIS provides a secure way to store secrets in the form of [Kubernetes
-secrets][kubernetes-secrets]. These secrets are encrypted at rest and are only
-accessible by the application that they are associated with.
+NAIS provides a secure way to store [secrets] for use by applications.
+These secrets are encrypted at rest and are only accessible by applications and members of a given team.
 
-In addition to Kubernetes secrets NAIS provides integration with [Google Secrets
-Manager][google-secrets-manager] and [Hashicorp Vault][hashicorp-vault] for
-enhanced secret management.
-
-[kubernetes-secrets]: ./secrets/kubernetes-secrets.md
-[google-secrets-manager]: ./secrets/google-secrets-manager.md
-[hashicorp-vault]: ./secrets/vault.md
+[secrets]: ../explanation/secrets.md
 
 #### External dependencies