• Cloud Container Engine

cce
  1. Help Center
  2. Cloud Container Engine
  3. User Guide 2.0
  4. Configuration Center
  5. Using a Secret

Using a Secret

The following is an example showing how to use a secret.
apiVersion: v1
kind: Secret
metadata: 
  name: mysecret
type: Opaque
data:
  username: my_username 
  password: ****** # The Base64 coding scheme is required. The method is as follows: echo -n "Content to be encoded" | base64

When a secret is used in a pod, the pod and secret must be in the same cluster and namespace.

Configuring the Data Volume of a Pod

A secret can be used as a file in a pod. As shown in the following example, the username and password of the mysecret secret are saved in the /etc/foo directory as files.

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret: 
      secretName: mysecret

In addition, you can specify the directory and permission to access a secret. The username is stored in the /etc/foo/my-group/my-username directory of the container.

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
  volumes:
  - name: foo
    secret:
      secretName: mysecret
      items:
      - key: username
        path: my-group/my-username
        mode: 511

To mount a secret to a data volume, you can also perform operations on the CCE console. When creating an application, set advanced settings for the container, choose Data Storage > Local Disks, click Add Local Disk, and select Secret. For details, see Secret.