Secrets
Friends store sensitive data (API keys, credentials) as Kubernetes Secrets in their own isolated namespace. Each friend manages their own secrets — there is no cross-namespace secret sharing.
Secret Storage
Section titled “Secret Storage”Each friend has a namespace (friend-<name>) where secrets are stored as standard Kubernetes Secrets:
# Friend creates a secret via the portalPOST /api/portal/secrets{ "name": "openai-key", "data": { "OPENAI_API_KEY": "sk-..." }}The controller creates the secret in the friend’s namespace. Friends can manage secrets through the portal UI or API.
Portal Secret Management
Section titled “Portal Secret Management”Friends manage their own secrets via the portal at https://<agent>.your-domain.net/portal:
- Create — Add new API keys and credentials
- View — See all stored secrets and their keys
- Update — Replace secret values
- Delete — Remove secrets no longer needed
Secret Visibility
Section titled “Secret Visibility”Secrets are strictly namespace-scoped:
- Friends can only see and manage secrets in their own
friend-<name>namespace - Agents can list secrets in a friend’s namespace via
GET /api/friends/:id/secrets(admin/agent token required) - Workloads deployed to a friend’s namespace can reference secrets in that namespace
API Endpoints
Section titled “API Endpoints”| Method | Path | Auth | Description |
|---|---|---|---|
GET | /api/portal/secrets | friend | List your secrets |
GET | /api/portal/secrets/:name | friend | Read a secret’s data |
POST | /api/portal/secrets | friend | Create a new secret |
PUT | /api/portal/secrets/:name | friend | Update a secret |
DELETE | /api/portal/secrets/:name | friend | Delete a secret |
GET | /api/friends/:id/secrets | admin/agent | List secrets in a friend’s namespace |