User ManualPodWarden
Settings: Secrets
Encrypted secret store and SSH key pair management
What you see
URL: /settings (Secrets tab)
The Secrets tab manages PodWarden's encrypted secret store. Secrets are sensitive values (API keys, database passwords, certificates) that can be referenced by stacks and injected as environment variables at deploy time via Kubernetes secrets.
Fields / columns
| Column | Description |
|---|---|
| Name | Identifier for the secret (e.g. db-password, api-token) |
| Type | The kind of secret (e.g. generic, ssh-key-pair, tls) |
| Value | Always displayed as masked (********). The actual value is stored encrypted |
Available actions
| Action | Where | What it does |
|---|---|---|
| Create | Secrets tab toolbar | Opens the secret creation form. Specify a name, type, and value |
| Edit | Secret row | Update the secret's value. The current value is not shown -- enter the new value |
| Delete | Secret row | Permanently removes the secret. Workloads referencing this secret will fail on next deployment |
| Generate SSH key pair | Secrets tab toolbar | Generates a new Ed25519 SSH key pair and stores both the private and public keys as a secret. The public key is displayed for copying to authorized_keys files |
Secret types
| Type | Description |
|---|---|
| generic | A plain key-value secret (password, API token, connection string) |
| ssh-key-pair | An SSH private + public key pair, generated by PodWarden |
| tls | A TLS certificate and private key |
How secrets are used
Secrets defined here are available as secret_refs in stacks. At deploy time, PodWarden:
- Creates a Kubernetes Secret in the target namespace.
- Mounts the secret as an environment variable in the workload pod.
- The workload reads the value from the environment variable at runtime.
This keeps sensitive values out of stack fields and ensures they are encrypted at rest.
Notes
- Secret values cannot be read back through the UI or API after creation. If you lose a secret value, delete and recreate it.
- Deleting a secret does not automatically update workloads that reference it. Redeploy affected workloads after changing secrets.
- SSH key pairs generated here are used by PodWarden for host provisioning (SSH access to servers).
Related docs
- Apps & Stacks -- Reference secrets in workload configuration
- Settings -- Users -- Previous settings tab
- Hosts -- SSH keys are used for host access