Updated on 2024-08-05 GMT+08:00

Managing Secrets

Secrets are user-defined resources that store authentication and sensitive information such as application keys. They can be used as files or environment variables in applications.

This section describes how to create, delete, view, and update secrets.

Prerequisites

  1. A CCE cluster has been bound to the environment. For details, see Binding a CCE Cluster.
  2. The namespace to which the secret belongs has been created. For details, see Creating a Namespace.

Creating a Secret

  1. Log in to ServiceStage.
  2. On the Environment Management page, click the target environment.
  3. In the Resource Settings area, choose Cloud Container Engine from Compute.
  4. On the Secret page, click Create Secret.

    ServiceStage allows you to create secrets in Visualization or YAML mode.
    • Method 1: Visualization Configure the parameters by referring to Table 1. Parameters marked with an asterisk (*) are mandatory.
      Table 1 Parameters for creating a secret in visualization mode

      Parameter

      Description

      *Name

      Name of a secret, which must be unique in the same namespace.

      *Cluster

      Cluster where the secret will be used.

      Click Create Cluster to create a cluster.

      *Namespace

      Namespace to which the secret belongs. If you do not specify this parameter, the value default is used by default.

      Description

      Description of a secret.

      *Secret Type

      Select the type of the secret to be created based on service requirements.

      • Opaque: general secret type. If the secret type is not explicitly set in the secret configuration file, the default secret type is Opaque.
      • kubernetes.io/dockerconfigjson: a secret that stores the authentication information required for pulling images from a private repository.
      • IngressTLS: a secret that stores the certificate required by ingresses (layer-7 load balancing services).
      • Other: Enter a secret type that is none of the above.

      *Repository Address

      This parameter is valid only when Secret Type is set to kubernetes.io/dockerconfigjson. Enter the address of the image repository.

      *Secret data

      Value of the data field in the application secret file.

      • If the secret type is Opaque, enter the key and value. The value must be encoded using Base64. For more information, see Base64 Encoding.

        Click Add Data to add secret data.

      • If the secret type is kubernetes.io/dockerconfigjson, enter the username and password.
      • If the secret type is IngressTLS, upload the certificate file and private key file.
      • If the secret type is Other, enter the key and value.

      Secret Label

      Labels that you want to attach to various objects (such as applications, nodes, and services) in the form of key-value pairs.

      Labels define the identifiable attributes of these objects and are used to manage and select the objects.

      1. Click Add Label.
      2. Enter the key and value.
      Figure 1 Setting secret parameters in Visualization mode
    • Method 2: YAML

      To create a secret by uploading a file, ensure that the secret description file has been created. ServiceStage supports files in YAML format. For details, see Secret Resource File Configuration.

      1. Select a cluster from the Cluster drop-down list.
      2. (Optional) Click Upload File, select the created secret file, and click Open. Wait until the file is uploaded.
      3. Write or modify the secret resource file in Orchestration content.
      Figure 2 Setting secret parameters in YAML mode

  5. Click Create Secret.

    The new secret is displayed in the secret list.

Follow-Up Operations

After a secret is created, you can search for, view, update, and delete the secret by referring to Table 2.

  • Deleted items cannot be restored. Exercise caution when performing this operation.
  • The secret list contains system secrets, which can only be viewed and cannot be modified or deleted.
Table 2 Secret management operations

Operation

Description

Searching for a secret

  1. Select the namespace to which the secret belongs from the namespace drop-down list.
  2. Enter a secret name in the search box.

Viewing a secret

Click Show YAML in the Operation column of the target secret to view the content of the YAML file of the secret.

Updating a secret

  1. Click Update in the Operation column of the target secret.
  2. Modify the information according to Table 1.
  3. Click Modify Secret.

Deleting a secret

  1. Click Delete in the Operation column of the target secret.
  2. In the displayed dialog box, click OK.

Deleting secrets in batches

  1. Select the secrets to be deleted.
  2. Click Delete Key.
  3. In the displayed dialog box, click OK.

Secret Resource File Configuration

This section provides examples of configuring secret resource description files. For example, you can retrieve the username and password for an application through a secret.

username: my-username

password: my-password

The following shows the content of a secret file. The value must be encoded using Base64. For more information, see Base64 Encoding.

apiVersion: v1
kind: Secret
metadata:
  name: mysecret           #Secret name.
  namespace: default       #Namespace. The default value is default.
data:
  username: ******    #The value must be encoded using Base64.
  password: ******  #The value must be Base64-encoded.
type: Opaque     #You are advised not to change this parameter value.

Base64 Encoding

To encrypt a string using Base64, run the echo -n 'Content to be encoded' | base64 command in the local Linux environment. Example:

root@ubuntu:~# echo -n '3306' | base64
MzMwNg==

Where,

  • 3306 is the content to be encoded.
  • MzMwNg== is the encoded content.