Secrets

Creating Secrets

1. Log in to the CCI console. In the navigation pane on the left, choose Configuration Center > Secrets. On the page displayed, select a namespace and click Create Secret.
2. Select a creation mode. CCI allows you to create a secret by manually specifying parameters or uploading a file.
   • Method 1: manually specifying parameters. Configure parameters based on the description in Table 1. Parameters marked with an asterisk (*) are mandatory.

     Table 1 Parameter description

     Parameter	Description
     Basic information
     * Name	Name of the secret. Enter 1 to 253 characters starting and ending with a letter or digit. Only lowercase letters, digits, hyphens (-), and periods (.) are allowed. Do not enter two consecutive periods or a period adjacent to a hyphen.
     Description	Description of the secret.
     * Data	Secret data that you want to use in the container. Key indicates the file name and Value indicates the file content. Click Add Data. Enter a key and a value. If you select Auto transcoding, the value you entered will be automatically encoded using Base64.
     Label	Labels that you want to attach to various objects (such as applications, nodes, and services) in the form of key-value pairs. Labels define the identifiable properties of these objects and are used to manage and select them. Click Add Label. Enter a key and a value.

   • Method 2: uploading a file.
     

     Ensure that the file is in JSON or YAML format and the file size is less than 2 MB. For details, see Secret File Format.

     Click Add File, select an existing secret resource file, and click Open.

3. Click Create.

   The newly created secret is displayed in the secret list.

Using Secrets

After you create a secret, you can reference it as an environment variable or mount it to a container path during workload creation.

Figure 1 Referencing a secret as an environment variable

Figure 2 Mounting a secret to a container path

The mount path cannot exceed 256 characters.

Secret File Format

• secret.yaml resource description file

  For example, to obtain the following key-value pairs and encrypt them for an application, you can use the secret.

  key1: value1

  key2: value2

  The content in the secret file secret.yaml is as follows. Base64 encoding is required for the value. For details about the Base64 encoding method, see Base64 Encoding.

  apiVersion: v1
  kind: Secret
  metadata:
    name: mysecret           #Secret name
    annotations:
      description: "test"
    labels:
      label-01: value-01
      label-02: value-02
  data:
  key1: dmFsdWUx    #Base64 encoding required
  key2: dmFsdWUy  #Base64 encoding required
  type: Opaque         #Must be Opaque

• secret.json resource description file
  The content in the secret file secret.json is as follows:

  {
      "apiVersion": "v1",
      "kind": "Secret",
      "metadata": {
          "annotations": {
              "description": "test"
          },
          "labels": {
              "label-01": "value-01",
              "label-02": "value-02"
          },
          "name": "mysecret"
      },
      "data": {
          "key1": "dmFsdWUx",
          "key2": "dmFsdWUy"
      },
      "type": "Opaque"
  }

Base64 Encoding

To perform Base64 encoding on a character string, run the echo -n Content to be encoded | base64 command. The following is an example:

root@ubuntu:~# echo -n "3306" | base64
MzMwNg==

Creating a Secret Using kubectl

For details, see Secret.