• Cloud Container Engine

cce
  1. Help Center
  2. Cloud Container Engine
  3. API Reference
  4. Secret (Native Kubernetes APIs)
  5. Creating a Secret

Creating a Secret

Function

This API is used to create a secret resource object that Kubernetes uses to process sensitive information.

When creating a secret named myregistry to pull CCE container images:

  • If you create a container cluster but does not deploy any application on this cluster, upload the AK/SK file by referring to Uploading an AK/SK File. Then a secret named myregistry will be automatically generated in the default namespace.
  • If you create a container cluster and deploy applications on this cluster using the CCE console, a secret named myregistry will also be automatically generated.

URI

POST /api/v1/namespaces/{namespace}/secrets

Table 1 describes the parameters of this API.

Table 1 Parameter description

Parameter

Mandatory

Description

pretty

No

If 'true', then the output is pretty printed.

namespace

Yes

Object name and auth scope, such as for teams and projects.

Request

Request parameters:

Table 2 describes the request parameters.

Table 2 Parameter description

Parameter

Mandatory

Type

Description

kind

Yes

String

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase.

The value of this parameter is Secret.

apiVersion

Yes

String

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values.

The value of this parameter is v1.

metadata

Yes

Table 3

-

data

No

object

Data contains the secret data. Each key must be a valid DNS_SUBDOMAIN or leading dot followed by valid DNS_SUBDOMAIN. The serialized form of the secret data is a base64 encoded string, representing the arbitrary (possibly non-string) data value here.

type

No

String

Used to facilitate programmatic handling of secret data.

The primitive k8s supports the following secret types:

  • kubernetes.io/service-account-token
  • kubernetes.io/.dockercfg
  • kubernetes.io/.dockerconfigjson
  • kubernetes.io/basic-auth
  • kubernetes.io/ssh-auth
  • kubernetes.io/tls
Table 3 Data structure of the metadata field

Parameter

Mandatory

Type

Description

name

Yes

String

Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition.

The name must be 0 to 253 characters in length.

The string must comply with regular expression [a-z0-9]([-a-z0-9]*[a-z0-9])?.

generateName

No

String

GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.

If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).

Applied only if Name is not specified.

Value length: 0 character < String length ≤ 253 characters.

The string must comply with regular expression [a-z0-9]([-a-z0-9]*[a-z0-9])?.

namespace

No

String

Namespace defines the space within each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. Must be a DNS_LABEL. Cannot be updated.

Value length: 0 character < String length ≤ 253 characters.

The string must comply with regular expression [a-z0-9]([-a-z0-9]*[a-z0-9])?.

selfLink

No

String

SelfLink is a URL representing this object. Populated by the system. Read-only.

NOTE:

This parameter is automatically generated. Do not assign values to this parameter. Otherwise, the API fails to be called.

uid

No

String

UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. Populated by the system. Read-only.

NOTE:

This parameter is automatically generated. Do not assign values to this parameter. Otherwise, the API fails to be called.

resourceVersion

No

String

An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. Populated by the system. Read-only. Value must be treated as opaque by clients.

NOTE:

This parameter is automatically generated. Do not assign values to this parameter. Otherwise, the API fails to be called.

generation

No

Integer

A sequence number representing a specific generation of the desired state. Currently only implemented by replication controllers. Populated by the system. Read-only.

creationTimestamp

No

String

CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists.

NOTE:

This parameter is automatically generated. Do not assign values to this parameter. Otherwise, the API fails to be called.

deletionTimestamp

No

String

DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource will be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field. Once set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. Once the resource is deleted in the API, the Kubelet will send a hard termination signal to the container. If not set, graceful deletion of the object has not been requested. Populated by the system when a graceful deletion is requested. Read-only.

deletionGracePeriodSeconds

No

Integer

Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.

labels

No

Map[string]string

Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.

Annotations

No

Map[string]string

Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.

ownerReferences

No

Table 4

(A newly added parameter in Kubernetes 1.3)

List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.

finalizers

No

String array

(A newly added parameter in Kubernetes 1.3)

Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.

Table 4 Data structure of the ownerReferences field

Parameter

Mandatory

Type

Description

apiVersion

No

String

(A newly added parameter in Kubernetes 1.3)

API version of the referent.

kind

No

String

(A newly added parameter in Kubernetes 1.3)

Kind of the referent.

name

Yes

String

(A newly added parameter in Kubernetes 1.3)

Name of the referent.

uid

No

String

(A newly added parameter in Kubernetes 1.3)

UID of the referent.

controller

No

Boolean

(A newly added parameter in Kubernetes 1.3)

If true, this reference points to the managing controller.

Example request:

  • Example of a general request
    {
      "apiVersion": "v1",
      "kind": "Secret",
      "metadata": {
        "name": "mysecret"
      },
      "type": "Opaque",
      "data": {
        "password": "******", #The Base64 coding scheme is required. The method is as follows: echo -n "Content to be encoded" | base64
        "username": "******", #The Base64 coding scheme is required. The method is as follows: echo -n "Content to be encoded" | base64
      }
    }
  • Example request where type in the request message body is kubernetes.io/.dockerconfigjson, indicating that an image from CCE's container registry is in use.
    kubernetes.io/.dockerconfigjson{
      "apiVersion": "v1",
      "kind": "Secret",
      "metadata": {
        "name": "myregistry"
      },
      "data": {
        ".dockerconfigjson": "eyJhdXRocyI6eyIxMC4xNTQuNTUuMTUwOjQ0MyI6eyJhdXRoIjoiWDJGMWRHaGZkRzlyWlc0Nk1tVm1PR1V5WVRVNVltUmtOR0ZpWkdJMk9HVmpOMkUzT1daalpUSTBaVFl0VEZSWE1rMVVVelJKVlU5RlZGTlRTa05VUXpZdE1qQXhOakE0TWpNeE5UTXdOVFl0T0RJelpqYzFZVEExTm1JMk4yTXlOMlF4T1dGaE9EQTVNbU0zTkRKbU1EbGxaVFkzTURVMVpXSmxZMlZpTkdJd05USmtNekE1TXpKaVlURmhZVEptWXc9PSIsImVtYWlsIjoiIn19fQo="
      },
      "type": "kubernetes.io/dockerconfigjson"
    }

    Ensure that the value of name is myregistry.

    To acquire the value of data, perform the following steps:

    1. Log in to the Linux machine you have prepared.
    2. Run the following commands to copy the AK/SK file and project ID to the Linux machine:

      AK={Access_key_ID}

      SK={Secret_access_key}

      PROJECTID={Project_ID}

      In these commands:

      • {Access_key_ID} must be replaced by the AK obtained in Uploading an AK/SK File.
      • {Secret_access_key} must be replaced by the SK obtained in Uploading an AK/SK File.
      • {Project_ID} must be replaced by the project ID displayed by choosing My Credential > Project List on the CCE console.
    3. Run the following command to copy the container registry address to the Linux machine:

      DOCKER_REGISTRY_IP={container_registry_address}

      If the container registry you will connect to is externally accessible, set {container_registry_address} to the container registry address displayed on the Container Registry page of the CCE console. If the container registry you will connect to is internally accessible, set {container_registry_address} to 100.125.1.72:6443.

    4. Run the following commands to generate a dockercfg file:

      AKTMP="$PROJECTID-$AK-`date --date='1 year ' '+%Y%m%d%H%M%S'`"

      SKTMP=`printf "$AK" | openssl dgst -binary -sha256 -hmac "$SK" | od -An -vtx1 | sed 's/[ \n]//g' | sed 'N;s/\n//'`

      LOGINPWD="$AKTMP-$(printf "$AKTMP" | openssl dgst -binary -sha256 -hmac "$SKTMP" | od -An -vtx1 | sed 's/[ \n]//g' | sed 'N;s/\n//')"

      DOCKERCFG=$(echo -n "_auth_token:$LOGINPWD" | base64 | sed 's/[ \n]//g' | sed 'N;s/\n//')

      echo "{\"auths\":{\"$DOCKER_REGISTRY_IP\":{\"auth\":\"$DOCKERCFG\",\"email\":\"\"}}}"

    5. Save the content of the certificate file as a text file.
    6. Encode the certificate file using Base64 scheme.
      cat dockercfg.txt | base64 -w 0

      Where dockercfg.txt is the certificate file name saved in 5.

    7. Create a secret.
      {
        "apiVersion": "v1",
        "kind": "Secret",
        "metadata": {
          "name": "myregistry"
        },
        "data": {
          ".dockerconfigjson": "<base-64-encoded-json-here>"
        },
        "type": "kubernetes.io/dockerconfigjson"
      }

      Ensure that the value of name is myregistry.

      Where <base-64-encoded-json-here> is replaced by content in the encoded certificate file.

      NOTE:

      If an image from CCE's container registry is in use, be sure to replace the value of name in the imagePullSecrets parameter with the secret name created in 7 when you are creating a Pod or ReplicationController.

Response

Response parameters:

For the description about response parameters, see the parameter description in Request.

Example response:

{ 
   "kind": "Secret", 
   "apiVersion": "v1", 
   "metadata": { 
     "name": "mysecret", 
     "namespace": "default", 
     "selfLink": "/api/v1/namespaces/default/secrets/mysecret", 
     "uid": "597c306b-594e-11e6-b444-286ed488fafe", 
     "resourceVersion": "10742", 
     "creationTimestamp": "2016-08-03T07:46:12Z" 
   }, 
   "data": { 
    "password": "******", 
    "username": "******",  
   }, 
   "type": "Opaque" 
 }

Status Code

Table 5 describes the status code of this API.

Table 5 Status code

Status Code

Description

201

This operation succeeds, and a secret resource object is returned.

For the description about status codes, see section Status Codes.