Secret resource enables users to store sensitive data.
Sensitive information is anything a user considers non-public, e.g.:
- TLS keys
Secrets belong to a specific
Mesh resource, and cannot be shared across different
Policies use secrets at runtime.
Kong Mesh leverages
Secret resources internally for certain operations,
for example when storing auto-generated certificates and keys when Mutual TLS is enabled.
data field of a Kong Mesh
Secret is a Base64 encoded value.
base64 command in Linux or macOS to encode any value in Base64:
# Base64 encode a file
cat cert.pem | base64
# or Base64 encode a string
echo "value" | base64
Access to the Secret HTTP API
Secret API requires authentication.
Consult Accessing Admin Server from a different machine for how to configure remote access.
Scope of the Secret
Kong Mesh provides two types of Secrets.
Mesh-scoped Secrets are bound to a given Mesh.
Only this kind of Secrets can be used in Mesh Policies like Provided CA or TLS setting in External Service.
Global-scoped Secrets are not bound to a given Mesh and cannot be used in Mesh Policies.
Global-scoped Secrets are used for internal purposes.
You can manage them just like the regular secrets using
Here is an example of how you can use a Kong Mesh
Secret with a
provided Mutual TLS backend.
The examples below assumes that the
Secret object has already been created beforehand.