A Kubernetes Secret is a type of resources that are used to store and managed sensitive information, such as keys and certificates. To prevent sensitive configurations from being exposed when you deploy an application by using an image, we recommend that you use a namespace-level Secret of Serverless App Engine (SAE). After you configure a Secret, you can inject the configurations into containers by using an image when you create or deploy an application. If you modify the Secret, you need to only redeploy the application.
Prerequisites
A namespace is created. For more information, see Create a namespace.
Usage notes
If you use an image to deploy an application to SAE, the image is pulled by default without the need to enter passwords. If you use a Secret to deploy the application, the password-free image pulling feature is disabled. If you want to use the password-free image pulling feature, redeploy the application and disable the Secret feature.
Each time a Secret is modified, a new version is generated for the Secret. The new version takes effect only for new instances that are generated by manual scaling or auto scaling after the modification is performed. The new version does not take effect for existing instances. To ensure that all instances of an application use the same version of a Secret, you must manually restart or redeploy the application after you modify the Secret.
If you delete a Secret, the associated applications cannot run as expected. Before you delete the Secret, you must disassociate the Secret from the applications.
If your configurations do not need to be encrypted, you can use the ConfigMap feature of SAE. For more information, see Manage a Kubernetes ConfigMap.
Create a Secret
Log on to the SAE console.
In the left-side navigation pane, click Namespaces. In the top navigation bar, select a region. Then, click the name of a namespace.
In the left-side navigation pane, click Secrets. On the Secrets page, click Create.
In the Create panel, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Name
Enter a name for the Secret.
Type
The type of the Secret. Valid values: Opaque, Private Image Repository Logon Secret, and TLS Certificate.
Opaque
The following parameters are required if you set the Type parameter to Opaque:
Base64 Encoding: By default, SAE encodes plaintext data by using the Base64 algorithm.
Key-value Pair: the key-value pairs of the sensitive data.
Private Repository Logon Secret
The following parameters are required if you set the Type parameter to Private Repository Logon Secret:
Image Repository Address: the address of the image repository in which the sensitive data is stored. For information about how to obtain the address of an image repository, see Image repository.
NoteYou must enter the virtual private cloud (VPC) endpoint of the image repository. Example:
registry-vpc.cn-beijing.aliyuncs.com
.Username: the username that is used to log on to the image repository.
Password: the password that is used to log on to the image repository.
After you create a Secret, you can use the Secret to pull images. For more information, see Pull images by using a Secret.
TLS Certificate
The following parameters are required if you set the Type parameter to TLS Certificate:
Cert: the public key of the TLS certificate.
Key: the private key of the TLS certificate.
The created Secret is displayed on the Secrets page. You can click Edit, Copy, or Delete in the Actions column to manage the Secret.
Pull images by using a Secret
Before you can pull images by using a Secret, you must create a Secret of the Private Image Repository Logon Secret type. This section describes how to configure a Secret. For more information about the parameters that are required when you create or deploy an application, see Deploy a demo application on SAE.
You can configure a Secret when you create or update an application. In this example, a Secret is configured when you create an application. For more information about how to configure a Secret when you update an application, see Update an application.
Log on to the SAE console.
In the left-side navigation pane, click Applications. In the top navigation bar, select a region. Then, click Create Application.
In the Basic Information step, configure the parameters and click Next: Application Deployment Configurations.
In the Deployment Configurations step, configure the parameters.
This section describes only the key steps that are required to configure a Secret.
Set the Application Deployment Method parameter to Image.
In the Configure Image section, click the Private Images of Other Alibaba Cloud Account tab, configure the Container Registry Edition parameter based on your business requirements, and then set the Image Type parameter to Static Username and Password.
Optional. If you set the Container Registry Edition parameter to Container Registry Enterprise Edition, configure the Enterprise Edition Instance ID parameter.
Select the Secret that you created from the Secret for Username and Password of Image Repository drop-down list and configure the Complete Image Repository Address parameter.
Click Next: Confirm Specifications.
In the Specification Confirmation step, view the details of the application and the fee for the selected specifications. Then, click Confirm.
The Creation Completed step appears. You can click Application Details to go to the Basic Information page of the application.