Updated on 2024-11-11 GMT+08:00

Creating a Secret

Scenario

A secret is a type of resource that holds sensitive data, such as authentication and key information. Its content is user-defined. After creating secrets, you can use them as files or environment variables in a containerized workload.

Prerequisites

Cluster and node resources have been created. For more information, see Buying a CCE Cluster. If you have available clusters and node resources, skip this operation.

Procedure

  1. Log in to the CCE console. In the navigation pane, choose Configuration Center > Secrets. Click Create Secret.
  2. You can create a secret directly or based on YAML. If you want to create a secret based on YAML, go to 4.
  3. Method 1: Create a secret directly.

    Set the basic information by referring to Table 1.
    Table 1 Parameters for creating a secret

    Parameter

    Description

    Name

    Name of the secret you create, which must be unique.

    Cluster

    Cluster that will use the secret you create.

    Namespace

    Namespace to which the secret belongs. If you do not specify this parameter, the value default is used by default.

    Description

    Description of a secret.

    Type

    Type of the secret you create.

    • Opaque: common secret.
    • kubernetes.io/dockerconfigjson: a secret that stores the authentication information required for pulling images from a private repository.
    • IngressTLS: a secret that stores the certificate required by ingresses (layer-7 load balancing Services).
    • Other: another type of secret, which is specified manually.

    Secret Data

    Workload secret data can be used in containers.

    • If the secret is of the Opaque type:
      1. Click Add Data.
      2. Enter the key and value. The value must be based on the Base64 coding method. For details about the method, see Base64 Encoding.
    • If the secret type is kubernetes.io/dockerconfigjson, enter the account and password of the private image repository.
    • If the secret type is IngressTLS, upload the certificate file and private key file.
      NOTE:
      • A certificate is a self-signed or CA-signed credential used for identity authentication.
      • A certificate request is a request for a signature with a private key.

    Secret Label

    Labels are attached to objects such as workloads, nodes, and Services in key-value pairs.

    Labels define the identifiable attributes of these objects and are used to manage and select the objects.

    1. Click Add Label.
    2. Enter the key and value.

  4. Method 2: Create a secret based on the YAML file.

    To create a resource by uploading a file, ensure that the resource description file has been created. CCE supports files in JSON or YAML format. For more information, see Secret Resource File Configuration.

    You can import or directly write the file content in YAML or JSON format.
    • Method 1: Import the orchestration file.

      Click Add File to import the file in YAML or JSON format. The orchestration content can be directly displayed.

    • Method 2: Directly orchestrate the content.

      In the orchestration content area, enter the content of the YAML or JSON file.

  5. After the configuration is complete, click Create.

    The new secret is displayed in the key list.

Secret Resource File Configuration

This section describes configuration examples of secret resource description files.

For example, you can retrieve the username and password for a workload through a secret.

  • YAML format

    The secret.yaml file is defined as shown below. The value must be based on the Base64 coding method. For details about the method, see Base64 Encoding.

    apiVersion: v1
    kind: Secret
    metadata:
      name: mysecret           #Secret name
      namespace: default       #Namespace. The default value is default.
    data:
      username: ******  #The value must be Base64-encoded.
      password: ******  #The value must be encoded using Base64.
    type: Opaque     #You are advised not to change this parameter value.

Creating a Secret Using kubectl

  1. According to Connecting to a Cluster Using kubectl, configure the kubectl command to connect an ECS to the cluster.
  2. Create and edit the Base64-encoded cce-secret.yaml file.

    # echo -n "content to be encoded" | base64
    ******

    vi cce-secret.yaml

    apiVersion: v1
    kind: Secret
    metadata:
      name: mysecret
    type: Opaque
    data:
      username: ******
      password: ******

  3. Create a secret.

    kubectl create -f cce-secret.yaml

    You can query the secret after creation.

    kubectl get secret

Related Operations

After creating a secret, you can update or delete it as described in Table 2.

The secret list contains system secret resources that can be queried only. The system secret resources cannot be updated or deleted.

Table 2 Related Operations

Operation

Description

Viewing a YAML file

Click View YAML next to the secret name to view the YAML file corresponding to the current secret.

Updating a secret

  1. Select the name of the secret to be updated and click Update.
  2. Modify the secret data. For more information, see Table 1.
  3. Click Update.

Deleting a secret

Select the secret you want to delete and click Delete.

Follow the prompts to delete the secret.

Deleting secrets in batches

  1. Select the secrets to be deleted.
  2. Click Delete above the secret list.
  3. Follow the prompts to delete the secrets.

Base64 Encoding

To encrypt a character string using Base64, run the echo -n to-be-encoded content | base64 command. The following is an example.

root@ubuntu:~# echo -n "content to be encoded" | base64
******