All Products
Search

This Product

    Container Compute Service:Manage Secrets

    Document Center

    Container Compute Service:Manage Secrets

    Last Updated:Dec 11, 2024

    In scenarios where you need to connect workloads to backend database services or authenticate requests from clients, you may need to ensure the confidentiality of sensitive information, such as usernames, passwords, and certificates. To avoid disclosing sensitive information, we recommend that you use Secrets to store sensitive information in Alibaba Cloud Container Compute Service (ACS) clusters. This topic describes how to create, modify, and delete Secrets in an ACS cluster.

    Prerequisites

    An Alibaba Cloud Container Compute Service (ACS) cluster is created. For more information, see Create an ACS cluster.

    Background information

    Secrets are classified into the following types:

    • Service account: A service account is automatically created by Kubernetes and automatically mounted to the /run/secrets/kubernetes.io/serviceaccount directory of a pod. The service account provides an identity for the pod to interact with the API server.

    • Opaque: This type of Secret is encoded by using Base64 and used to store sensitive information, such as passwords and certificates.

    By default, you can create only Opaque Secrets in the ACS console. Opaque Secrets store map type data. Therefore, values must be encoded by using Base64.

    You can create Secrets in the ACS console with a few clicks. Plaintext Secrets are automatically encoded by using Base64. You can also create Secrets by using the CLI. For more information, see Kubernetes Secrets.

    Create a Secret

    1. Log on to the ACS console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find the cluster that you want to manage and click its ID. In the left-side navigation pane of the cluster details page, choose Configurations > Secrets.

    3. On the Secrets page, select a namespace from the Namespace drop-down list. In the upper-right corner of the Secrets page, click Create and configure the Secret in the panel that appears.

      Parameter

      Description

      Name

      Enter a name for the Secret.

      Type

      You can select Opaque, Private Repository Logon Secret, or TLS Certificate.

      Opaque

      If you set Type to Opaque, configure the following parameters:

      • Optional: To encode plaintext data by using Base64, select Encode Data Values Using Base64.

      • Configure the Secret in key-value pairs. Click + Add. Enter the keys and values for the Secret in the Name and Value fields.

      Private Repository Logon Secret

      If you set Type to Private Repository Logon Secret, configure the following parameters:

      • Docker Registry URL: Enter the address of the Docker registry where your Secret is stored.

      • Username: Enter the username that is used to log on to the Docker registry.

      • Password: Enter the password that is used to log on to the Docker registry.

      TLS Certificate

      If you set Type to TLS Certificate, configure the following parameters:

      • Cert: Enter a TLS certificate.

      • Key: Enter the key for the TLS certificate.

    What to do next

    After you create the Secret, you can perform the following operations on the Secrets page:

    • Click the name of the Secret to view the basic information and details about the Secret.

      Note

      Click the image.png icon to view the values in plaintext.

    • Click Edit in the Actions column to modify the information of the Secret.

    • Click Delete in the Actions column to delete the Secret.

      Important

      Do not delete or modify Secrets that are automatically created in system namespaces, such as kube-system. This ensures the stability and reliability of the system.

    References

    For more information about how to use Secrets in an ACS cluster by using volumes and environment variables, see Use Secrets in pods.