Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.reducto.ai/llms.txt

Use this file to discover all available pages before exploring further.

Authentication

Reducto can read one or more tokens used for authenticating API calls from a file. On Kubernetes, a Secret can be mounted as a file in the http Pod - when this Secret is updated, Kubernetes automatically updates the mounted file using an eventually-consistent approach, allowing Reducto to reload the new value without requiring a restart. Multiple API keys can be specified by placing each key on a separate line. This enables progressive secret rotation: add the new key, roll your clients over, then remove the old key, all without downtime.

Overview

When enabled, Reducto reads the authentication secret from a mounted file specified by the AUTH_SECRET_PATH environment variable. This provides better security isolation and follows Kubernetes best practices for secret management.

Setup instructions

You can set up authentication using either manual secret creation or secret creation via Helm Chart.

Option 1: Manual secret creation

1. Create a Kubernetes secret
First, create a Kubernetes secret containing your API key(s). For a single key: 
kubectl create secret generic reducto-auth-secret \
  --from-literal=secret=your-api-key-here \
  --namespace reducto
For multiple keys (e.g., during rotation), separate them with newlines: 
kubectl create secret generic reducto-auth-secret \
  --from-literal=secret=$'current-key\nnew-key' \
  --namespace reducto
2. Configure Helm values
Add the following configuration to your Helm values file: 
auth:
  secretPath:
    enabled: true
    secretName: "reducto-auth-secret"
    mountPath: "/etc/auth"
    filename: "secret"

Option 2: Secret creation via Helm Chart

1. Configure values for creation via Helm Chart
Add the following configuration to your Helm values file to let the Helm chart create the secret: 
auth:
  secretPath:
    enabled: true
    createSecret: true
    apiKey: "your-api-key-here"  # Must specify when createSecret is true.
    secretName: "reducto-auth-secret"
    mountPath: "/etc/auth"
    filename: "secret"
Note: With createSecret: true you must specify apiKey

2. Deploy Reducto (for both options)

Deploy or upgrade your Reducto installation: 
helm upgrade --install reducto oci://registry.reducto.ai/reducto-api/reducto \
  --namespace reducto \
  --values your-values.yaml

Configuration options

ParameterDescriptionDefault
auth.secretPath.enabledEnable file-based authenticationfalse
auth.secretPath.createSecretCreate the Kubernetes secretfalse
auth.secretPath.apiKeyAPI key, must be specified when createSecret: true-
auth.secretPath.secretNameName of the Kubernetes secret"reducto-auth-secret"
auth.secretPath.mountPathMount path for the secret file"/etc/auth"
auth.secretPath.filenameFilename within the secret"secret"

How it works

  1. When auth.secretPath.enabled is true, the Helm chart mounts the specified secret as a volume
  2. The AUTH_SECRET_PATH environment variable is automatically set to the full file path
  3. Reducto’s authentication middleware reads all keys from the file (one per line) and authenticates API requests against any of them
  4. The file is monitored for changes, supporting secret rotation without restarts
  5. If the provided API key doesn’t match any key in the file, a 401 error is returned

Secret rotation

To rotate keys without downtime:
  1. Add the new key on a new line alongside the existing key
  2. Update the Kubernetes secret (Reducto picks up the change automatically)
  3. Migrate your clients to use the new key
  4. Remove the old key from the secret