Updated on 2024-06-17 GMT+08:00

Secrets

A secret is a type of resource that holds sensitive data, such as authentication and key information. Its content is user-defined.

  • After a secret is created on the UCS console, it is in the undeployed state by default. You need to mount the secret when creating or updating a workload. For details, see Secret.
  • After a secret is mounted to a workload, a secret with the same name is created in each cluster to which the workload belongs.

Creating a Secret

  1. Log in to the UCS console. In the navigation pane, choose Fleets.
  2. On the Fleets tab, click the name of the federation-enabled fleet to access its details page.
  3. Choose ConfigMaps and Secrets in the navigation pane and click the Secrets tab.
  4. Select the namespace for which you want to create a secret and click Create Secret in the upper right corner.
  5. Set the parameters listed in Table 1.

    Table 1 Parameters for creating a secret

    Parameter

    Description

    Name

    Name of a secret, which must be unique in the same namespace.

    Namespace

    Namespace to which the secret belongs. The current namespace is used by default.

    Description

    Description of the secret.

    Type

    Type of the secret.

    • Opaque: common secret. In high-sensitive scenarios, you are advised to encrypt sensitive data using data encryption services and then store the encrypted data in secrets.
    • kubernetes.io/dockerconfigjson: a secret that stores the authentication information required for pulling images from a private repository. If you select this secret type, enter the image repository address.
    • IngressTLS: a secret that stores the certificate required by an Ingress. If you select this secret type, upload the certificate file and private key file.
    • Other: another type of secret, which is specified manually.

    Data

    Workload secret data can be used in containers.

    • If the secret type is Opaque, enter the key and value. The value must be a Base64-encoded value. You can select Auto Base64-encoded to Base64-encode the entered value. For details about manual Base64 encoding, see Base64 Encoding.
    • If the secret type is kubernetes.io/dockerconfigjson, enter the username and password of the private image repository.

    Label

    Labels are attached to objects such as workloads, nodes, and Services in key-value pairs.

    Labels define identified attributes of these objects and can be used to manage and select objects.

    1. Click Confirm.
    2. Enter the key and value.

  6. Click OK.

    The new secret is displayed in the secret list.

Using a Secret

After a secret is created, you can mount the secret to a container for storage during workload creation. Then, you can read the secret data from the mount path of the container. For details, see Secret.

Base64 Encoding

To Base64-encode a string, run the echo -n Content to be encoded | base64 command. The following is an example:

echo -n "Content to be encoded" | base64

Related Operations

You can also perform operations described in Table 2.
Table 2 Related operations

Operation

Description

Creating a secret from a YAML file

Click Create from YAML in the upper right corner to create a secret from an existing YAML file.

Viewing details

Click the secret name to view its details.

Editing a YAML file

Click Edit YAML in the row where the target secret resides to edit its YAML file.

Updating a secret

  1. Choose More > Update in the row where the target secret resides.
  2. Modify the secret information according to Table 1.
  3. Click OK to submit the modified information.

Deleting a secret

Choose More > Delete in the row where the target secret resides, and click Yes.

Deleting secrets in batches

  1. Select the secrets to be deleted.
  2. Click Delete in the upper left corner.
  3. Click Yes.