Skip to main content
Secret values are never committed and never stored in OpenTofu state. This contract lists the external secret names a forker must seed before the matching profile/feature can be fully healthy. make doctor PROFILE=... checks the required GCP Secret Manager entries and the Kubernetes Secrets ESO materializes from them.

Runtime secrets (ESO → GCP Secret Manager)

Profile / flagLayerExternal nameKubernetes SecretRequiredPurpose
servingservingvllm-api-keyserving/vllm-api-keyyesraw-vLLM /v1/* auth; reused upstream by LiteLLM
servingservinghf-tokenkserve/hf-tokennogated Hugging Face model pulls for optional KServe demos
llm-gatewayllm-gatewaylitellm-master-keylitellm/litellm-secretsyesLiteLLM admin/master key
llm-gatewayllm-gatewaylitellm-salt-keylitellm/litellm-secretsyesLiteLLM encryption salt; write once, never rotate casually
llm-gatewayllm-gatewaylitellm-db-passwordlitellm/litellm-pg-appyesCloudNativePG app-user password
llm-gatewayllm-gatewaylitellm-grafana-ro-passwordlitellm/litellm-grafana-ro, monitoring/grafana-datasource-litellmyesGrafana read-only spend dashboard credential
features.identityplatformdex-admin-hashdex/dex-secretsflag-gatedbcrypt hash of the static Dex admin password; make seed-secrets mints it (runbook sso-dex.md)
features.identityplatformdex-oauth2-proxy-client-secretdex/dex-secrets, oauth2-proxy/oauth2-proxy-secretsflag-gatedDex ↔ oauth2-proxy OIDC client secret (SSO; runbook sso-dex.md)
features.identityplatformoauth2-proxy-cookie-secretoauth2-proxy/oauth2-proxy-secretsflag-gatedoauth2-proxy session-cookie encryption
features.dns / DNS-01platformcloudflare-api-tokenexternal-dns/cloudflare-api-token, cert-manager/cloudflare-api-tokenflag-gatedexternal-dns record writes + cert-manager DNS-01
flag-gated = required only when the named flag in environments/<env>/config.yaml is on (features.identity, features.dns; both default false). These are not asserted by make doctor; it validates the serving and llm-gateway profiles only.

Bootstrap / IaC credentials (not ESO-materialized)

These authenticate tooling, not in-cluster workloads, so they are not read through a ClusterSecretStore.
NameWhere storedConsumed byPurpose
Argo CD repo credenv → make argocd-repo (K8s Secret only)Argo CDprivate-fork repo pull (PAT + username)
dex-admin-passwordGCP Secret Manager plus secrets/dex-admin-passwordmake credentials / operator loginretrievable copy of the Dex static-admin password; Dex itself consumes only dex-admin-hash
hcloud-tokenGCP Secret Managerinfra/hetzner/terraform/ (deferred)Hetzner Cloud API token for the hcloud Terraform provider / CSI / CCM. Read via HCLOUD_TOKEN env or a google_secret_manager_secret_version data source at apply time; never in git/state. Robot user+password for the dedicated GPU box is a separate, not-yet-seeded credential.
Private GitHub forks need an Argo CD repo credential (created from env, not from Secret Manager): 
export ARGOCD_REPO_PAT=<fine-grained-PAT-contents-read-only>
export ARGOCD_REPO_USERNAME=<github-user>
make argocd-repo

Seed required values

export PROJECT=<your-project>

# serving + llm-gateway (required for those profiles)
openssl rand -hex 24 | tr -d '\n' | gcloud secrets create vllm-api-key --data-file=- --project "$PROJECT"

printf 'sk-%s' "$(openssl rand -hex 24)" | gcloud secrets create litellm-master-key --data-file=- --project "$PROJECT"
openssl rand -hex 32 | tr -d '\n'        | gcloud secrets create litellm-salt-key --data-file=- --project "$PROJECT"
openssl rand -hex 24 | tr -d '\n'        | gcloud secrets create litellm-db-password --data-file=- --project "$PROJECT"
openssl rand -base64 24 | tr -d '\n'     | gcloud secrets create litellm-grafana-ro-password --data-file=- --project "$PROJECT"

# features.identity (SSO): generate
openssl rand -hex 32    | tr -d '\n' | gcloud secrets create dex-oauth2-proxy-client-secret --data-file=- --project "$PROJECT"
openssl rand -hex 16    | tr -d '\n' | gcloud secrets create oauth2-proxy-cookie-secret --data-file=- --project "$PROJECT"

# features.dns / DNS-01: paste a token minted in the Cloudflare dashboard
printf '%s' '<cloudflare-api-token>' | gcloud secrets create cloudflare-api-token --data-file=- --project "$PROJECT"

# Hetzner portability: paste a token minted in the Hetzner Cloud Console (Security → API Tokens)
printf '%s' '<hcloud-token>' | gcloud secrets create hcloud-token --data-file=- --project "$PROJECT"