• Cloud Container Engine

cce
  1. Help Center
  2. Cloud Container Engine
  3. User Guide 2.0
  4. Configuration Center
  5. Creating a Secret

Creating a Secret

A secret is a type of resource that holds sensitive data, such as authentication and key information. All content is user-defined. After creating secrets, you can use them as files or environment variables in a containerized application.

Prerequisites

Cluster and node resources have been created. For more information, see Creating a VM Cluster.

Procedure

  1. Log in to the CCE console. In the navigation pane, choose Configuration Center > Secrets, and click Create Secret.
  2. Create a secret manually or by uploading a file.

    • To create a secret manually, set the parameters for creating a secret listed in Table 1. The parameters marked with an asterisk (*) are mandatory.
      Table 1 Parameters for creating a Key

      Parameter

      Description

      * Name

      Name of the secret you create, which must be unique.

      * Cluster

      Cluster that will use the secret you create.

      * Namespace

      Namespace to which the configuration item belongs. If you do not specify this parameter, the value default is used by default.

      * Type

      Type of the secret you create.

      • Opaque: common secret
      • kubernetes.io/dockerconfigjson: a secret that stores the authentication information required for pulling images from a private repository.
      • IngressTLS: a secret that stores the certificate required by the Layer-7 load balancing service.
      • Other: Another type of secret, which is specified manually.

      Description

      Description of a secret.

      Secret Data

      Application secret data can be used in containers.

      • If the secret is of the Opaque type:
        1. Click Add Data.
        2. Enter the key and value. The value must be encoded to Base64. For details about the encoding method, see Base64 Encoding.
      • If the secret is of the kubernetes.io/dockerconfigjson type, enter the account name and password of the private image repository.
      • If the secret is of the IngressTLS type, upload certificate files and private key files.

      Secret Labels

      Labels are attached to objects such as applications, nodes, and services in key-value pairs.

      Labels define the identifiable attributes of these objects and are used to manage and select the objects.

      1. Click Add Label.
      2. Set Key and Value.
    • To create a Secret resource by uploading a file, perform the following steps:
      NOTE:

      When creating a resource by uploading a file, ensure that the resource description file has been created. CCE supports files in JSON or yaml format. For more information, see Secret Resource File Configuration.

      1. Choose a cluster from the Cluster drop-down list.
      2. Select the corresponding cluster namespace.
      3. Click Upload, select the created secret resource file, and click Open.

  3. After the configuration is complete, click Create Now.

    The new secret is displayed in the key list.

Secret Resource File Configuration

This section describes configuration examples of secret resource description files.

For example, you can retrieve the username and password for an application through a secret.

  • YAML format

    The secret.yaml file is defined as shown below. The value must be encoded to Base64. For details about the encoding method, see Base64 Encoding.

    apiVersion: v1
     kind: Secret
     metadata: 
       name: mysecret           # secret name
       namespace: default       # By default, the namespace is default.
     data:
       username: my_username
       password: ****** # The Base64 coding scheme is required. The method is as follows: echo -n "Content to be encoded" | base64.
     type: Opaque     # You are advised not to change the value of type.
  • JSON format

    The secret.json file is defined as shown below.

    {
        "apiVersion": "v1",
        "kind": "Secret",
        "metadata": {
            "name": "mysecret",
            "namespace": "default"
        },
        "data": {
            "password": "******", # The Base64 coding scheme is required. The method is as follows: echo -n "Content to be encoded" | base64
            "username": "my_username"
        },
        "type": "Opaque"
    }
NOTE:

Set the username and password to the actual user name and password.

Creating a Secret Using kubectl

  1. According to Connecting to a Kubernetes Cluster Using kubectl, configure the kubectl command to connect an ECS server to the cluster.
  2. Create and edit the cce-secrets.yaml file based on the Base64 encoding method.

    vi cce-secret.yaml

    apiVersion: v1
    kind: Secret
    metadata:
      name: mysecret
    type: Opaque
    data:
      username: mysecret
      password: ****** # The Base64 coding scheme is required. The method is as follows: echo -n "Content to be encoded" | base64

  3. Create a secret.

    kubectl create -f cce-secret.yaml

    You can query the secret after creation.

    kubectl get secret

Base64 Encoding

To encrypt a character string to Base64, you can run the echo -n encoding content | base64 command. The following is an example.

root@ubuntu:~# echo -n "Content to be encoded" | base64
******

Related Operations

After creating a configuration item, you can update or delete it as described in Table 2.
NOTE:

The secret list contains system secret resources that can be queried only. The system secret resources cannot be updated or deleted.

Table 2 Related Operations

Operation

Description

Updating a secret

  1. Select a key you want to modify and click Modify.
  2. Modify the secret data. For more information, see Table 1.
  3. Click Modify Secret.

Deleting a secret

Select the secret you want to delete and click Delete.

Follow the prompts to delete the secret.

Deleting secrets in batches

  1. Select the secrets to be deleted.
  2. Click Delete above the secret list.
  3. Follow the prompts to delete the secrets.