Help Center/ Data Encryption Workshop/ Best Practices/ Cloud Secret Management Service/ Services Using CSMS/ CCE Servers Using CSMS
Updated on 2025-09-24 GMT+08:00
View PDF
Share

CCE Servers Using CSMS

Overview

CCE provides multiple types of plug-ins to extend cluster functions. The dew-provider plug-in of CCE interconnects with CSMS and mounts secrets to service pods. In this way, sensitive information is decoupled from the cluster environment, preventing sensitive information leakage caused by hard coding or plaintext configuration.

Constraints

  • Supported cluster versions: v1.19 and later
  • Supported cluster types: CCE Standard and CCE Turbo

Components

Table 1 dew-provider components

Component

Description

Resource Type

dew-provider

A component that obtains specified secrets from CSMS and mounts them to the pods.

DaemonSet

secrets-store-csi-driver

A component responsible for maintaining two CRDs: SecretProviderClass (SPC) and SecretProviderClassPodStatus (spcPodStatus). SPC is used to describe the secret that users are interested in (such as the secret version and name). It is created by users and will be referenced in pods. spcPodStatus is used to trace the binding relationships between pods and secrets. It is automatically created by csi-driver and requires no manual operation. One pod corresponds to one spcPodStatus. After a pod is started, a spcPodStatus is generated for the pod. When the pod lifecycle ends, the spcPodStatus is deleted accordingly.

DaemonSet

Installing the Plug-in On the Console

  1. Log in to the CCE console. Click the cluster name to access its details page. In the navigation pane on the left, choose Add-ons. Locate dew-provider on the right and click Install.
  2. On the Install Add-on page, configure parameters as required. Table 2 describes the parameters.

    Table 2 Parameters

    Parameter

    Description

    rotation_poll_interval

    Rotation interval, in unit of minutes (m, not min).

    The rotation interval indicates the interval for sending a request to CSMS and obtaining the latest secret. The proper interval range is [1m, 1440m]. The default value is 2m.

  3. Click Install. After the plug-in is installed, select the cluster and click Add-ons from the navigation pane. On the displayed page, view the plug-in in the Add-ons Installed area.
  4. The plug-in can be used only if the secret created in DEW is used. Otherwise, the pod cannot run. For details about how to create a secret, see Creating a Secret.
  5. Use the plug-in after it is installed. For details, see CCE Secrets Manager for DEW.

Parent topic: Services Using CSMS