Manage secrets

  • TLS keys
  • tokens
  • passwords

Secrets belong to a specific Mesh resource, and cannot be shared across different Meshes. use secrets at runtime.

Kuma leverages Secret resources internally for certain operations, for example when storing auto-generated certificates and keys when Mutual TLS is enabled.

On Kubernetes, Kuma under the hood leverages the native Kubernetes Secret resource to store sensitive information.

Kuma secrets are stored in the same namespace as the Control Plane with type set to system.kuma.io/secret:

Use kubectl to manage secrets like any other Kubernetes resource.

  1. echo "apiVersion: v1
  2. kind: Secret
  3. metadata:
  4.   name: sample-secret
  5.   namespace: kuma-system
  6.   labels:
  7.     kuma.io/mesh: default
  8. data:
  9.   value: dGVzdAo=
  10. type: system.kuma.io/secret" | kubectl apply -f -
  12. kubectl get secrets -n kuma-system --field-selector='type=system.kuma.io/secret'
  13. # NAME            TYPE                    DATA   AGE
  14. # sample-secret   system.kuma.io/secret   1      3m12s

In order to reassign a Secret from one Mesh to another Mesh you need to delete the Secret resource and create it in another Mesh.

A Secret is a simple resource that stores specific :

  1. name: sample-secret
  2. mesh: default
  3. data: dGVzdAo= # Base64 encoded

Use kumactl to manage any Secret the same way you would do for other resources:

The data field of a Kuma Secret is a Base64 encoded value. Use the base64 command in Linux or macOS to encode any value in Base64:

  1. # Base64 encode a file
  2. cat cert.pem | base64
  4. # or Base64 encode a string
  5. echo "value" | base64

Secret API requires authentication. Consult Accessing Admin Server from a different machine for how to configure remote access.

Mesh-scoped Secrets are bound to a given Mesh. Only this kind of Secrets can be used in Mesh Policies like or TLS setting in External Service.

  1. apiVersion: v1
  2. kind: Secret
  3. metadata:
  4.   name: sample-secret
  5.   namespace: kuma-system
  6.   labels:
  7.     kuma.io/mesh: default # specify the Mesh scope of the secret
  8. data:
  9.   value: dGVzdAo=
  10. type: system.kuma.io/secret

Global-scoped Secrets are not bound to a given Mesh and cannot be used in Mesh Policies. Global-scoped Secrets are used for internal purposes. You can manage them just like the regular secrets using kumactl or kubectl.

Notice that the type is different and kuma.io/mesh label is not present.

  2. kind: Secret
  3.   name: sample-secret
  4.   namespace: kuma-system
  5. data:
  6.   value: dGVzdAo=
  7. type: system.kuma.io/global-secret

Notice that the type is different and mesh field is not present.

  1. type: GlobalSecret
  2. name: sample-global-secret
  3. data: dGVzdAo=

Usage

Here is an example of how you can use a Kuma Secret with a provided backend.

  1. apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4.   name: default
  5. spec:
  6.   mtls:
  7.     backends:
  8.       - name: ca-1
  9.         type: provided
  10.         config:
  11.           cert:
  12.             secret: my-cert # name of the Kubernetes Secret
  13.           key: