Updated on 2024-10-15 GMT+08:00

Secrets

Secrets are Kubernetes objects that you can use to store sensitive data such as passwords, tokens, certificates, and private keys. You can load a secret to a container as an environment variable or a file when the container is started.

  • Secrets and SSL certificates share the same quota.
  • You are advised to encrypt the uploaded secret.

Creating Secrets

  1. Log in to the CCI console. In the navigation pane on the left, choose Configuration Center > Secrets. On the page displayed, select a namespace and click Create Secret.
  2. Select a creation mode. CCI allows you to create a secret by manually specifying parameters or uploading a file.

    • Method 1: manually specifying parameters. Configure parameters based on the description in Table 1. Parameters marked with an asterisk (*) are mandatory.
      Table 1 Parameter description

      Parameter

      Description

      Basic information

      * Name

      Name of the secret.

      Enter 1 to 253 characters starting and ending with a letter or digit. Only lowercase letters, digits, hyphens (-), and periods (.) are allowed. Do not enter two consecutive periods or a period adjacent to a hyphen.

      Description

      Description of the secret.

      * Data

      Secret data that you want to use in the container. Key indicates the file name and Value indicates the file content.

      1. Click Add Data.
      2. Enter a key and a value. If you select Auto transcoding, the value you entered will be automatically encoded using Base64.

      Label

      Labels that you want to attach to various objects (such as applications, nodes, and services) in the form of key-value pairs.

      Labels define the identifiable properties of these objects and are used to manage and select them.

      1. Click Add Label.
      2. Enter a key and a value.
    • Method 2: uploading a file.

      Ensure that the file is in JSON or YAML format and the file size is less than 2 MB. For details, see Secret File Format.

      Click Add File, select an existing secret resource file, and click Open.

  3. Click Create.

    The newly created secret is displayed in the secret list.

Using Secrets

After you create a secret, you can reference it as an environment variable or mount it to a container path during workload creation.

Figure 1 Referencing a secret as an environment variable
Figure 2 Mounting a secret to a container path

The mount path cannot exceed 256 characters.

Secret File Format

  • secret.yaml resource description file

    For example, to obtain the following key-value pairs and encrypt them for an application, you can use the secret.

    key1: value1

    key2: value2

    The content in the secret file secret.yaml is as follows. Base64 encoding is required for the value. For details about the Base64 encoding method, see Base64 Encoding.

    apiVersion: v1
    kind: Secret
    metadata:
      name: mysecret           #Secret name
      annotations:
        description: "test"
      labels:
        label-01: value-01
        label-02: value-02
    data:
    key1: dmFsdWUx    #Base64 encoding required
    key2: dmFsdWUy  #Base64 encoding required
    type: Opaque         #Must be Opaque
  • secret.json resource description file
    The content in the secret file secret.json is as follows:
    {
        "apiVersion": "v1",
        "kind": "Secret",
        "metadata": {
            "annotations": {
                "description": "test"
            },
            "labels": {
                "label-01": "value-01",
                "label-02": "value-02"
            },
            "name": "mysecret"
        },
        "data": {
            "key1": "dmFsdWUx",
            "key2": "dmFsdWUy"
        },
        "type": "Opaque"
    }

Base64 Encoding

To perform Base64 encoding on a character string, run the echo -n Content to be encoded | base64 command. The following is an example:

root@ubuntu:~# echo -n "3306" | base64
MzMwNg==

Creating a Secret Using kubectl

For details, see Secret.