Secrets

Secrets belong to a specific Mesh resource, and cannot be shared across different Meshes.

Kuma will also leverage Secret resources internally for certain operations, for example when storing auto-generated certificates and keys when Mutual TLS is enabled.

A Secret is a simple resource that stores specific data:

You can use kumactl to manage any Secret like you would do for other resources:

$ echo "type: Secret
mesh: default
name: sample-secret
data: dGVzdAo=" | kumactl apply -f -

On Kubernetes, Kuma under the hood leverages the native resource to store sensitive information.

Kuma secrets are stored in the same namespace as the Control Plane with type valued as system.kuma.io/secret:

Use kubectl to manage secrets like any other Kubernetes resource.

$ echo "apiVersion: v1
metadata:
  namespace: kuma-system
  labels:
    kuma.io/mesh: default 
data:
  value: dGVzdAo=
type: system.kuma.io/secret" | kubectl apply -f -
$ kubectl get secrets -n kuma-system --field-selector='type=system.kuma.io/secret'
NAME            TYPE                    DATA   AGE

Like any other Kuma resources, if kuma.io/mesh is not specified then the Secret will automatically belong to the default Mesh.

In order to reassign a to another Mesh you need to delete the Secret resource and apply it again.

The data field of a Kuma Secret should always be a Base64 encoded value. You can use the base64 command in Linux or macOS to encode any value in Base64:

Here is example of how you can use a Kuma Secret with a provided Mutual TLS backend.

The examples below assume that the Secret object has already been created before-hand.

type: Mesh
name: default
mtls:
  backends:
  - name: ca-1
    type: provided
    config:
      cert:
        secret: my-cert # name of the Kuma Secret
        secret: my-key # name of the Kuma Secret