On Kubernetes, Kong Mesh under the hood leverages the native Kubernetes Secret resource to store sensitive information.
Kong Mesh secrets are stored in the same namespace as the Control Plane with type
set to system.kuma.io/secret
:
apiVersion: v1
kind: Secret
metadata:
name: sample-secret
namespace: kong-mesh-system # Kong Mesh will only manage secrets in the same namespace as the CP
labels:
kuma.io/mesh: default # specify the Mesh scope of the secret
data:
value: dGVzdAo= # Base64 encoded
type: system.kuma.io/secret # Kong Mesh will only manage secrets of this type
Copied to clipboard!
Use kubectl
to manage secrets like any other Kubernetes resource.
echo "apiVersion: v1
kind: Secret
metadata:
name: sample-secret
namespace: kong-mesh-system
labels:
kuma.io/mesh: default
data:
value: dGVzdAo=
type: system.kuma.io/secret" | kubectl apply -f -
kubectl get secrets -n kong-mesh-system --field-selector='type=system.kuma.io/secret'
# NAME TYPE DATA AGE
# sample-secret system.kuma.io/secret 1 3m12s
Copied to clipboard!
Kubernetes Secrets are identified with the name + namespace
format,
therefore it is not possible to have a Secret
with the same name in multiple meshes.
Multiple Meshes
always belong to one Kong Mesh CP that always runs in one Namespace.
In order to reassign a Secret
from one Mesh
to another Mesh
you need to delete the Secret
resource and create it in another Mesh
.
A Secret
is a simple resource that stores specific data
:
type: Secret
name: sample-secret
mesh: default
data: dGVzdAo= # Base64 encoded
Copied to clipboard!
Use kumactl
to manage any Secret
the same way you would do for other resources:
echo "type: Secret
mesh: default
name: sample-secret
data: dGVzdAo=" | kumactl apply -f -
Copied to clipboard!