A200161411/cloud-container-engine
1
0
Fork 0
forked from docs/cloud-container-engine
Code Pull Requests Activity
cloud-container-engine/umn/source/configuration_center/using_a_secret.rst
proposalbot a70a2c8b2e Changes to cce_umn from docs/doc-exports#418 (CCE UMN for 1.23 reuploaded -20221 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: proposalbot <proposalbot@otc-service.com>
Co-committed-by: proposalbot <proposalbot@otc-service.com>
2022-11-10 18:57:33 +00:00

116 lines
3.3 KiB
ReStructuredText
Raw Blame History

:original_name: cce_01_0016.html
.. _cce_01_0016:
Using a Secret
==============
.. important::
The following secrets are used by the CCE system. Do not perform any operations on them.
- Do not operate secrets under kube-system.
- Do not operate default-secret and paas.elb in any of the namespaces. The default-secret is used to pull the private image of SWR, and the paas.elb is used to connect the service in the namespace to the ELB service.
- :ref:`Configuring the Data Volume of a Pod <cce_01_0016__section472505211214>`
- :ref:`Setting Environment Variables of a Pod <cce_01_0016__section207271352141216>`
The following example shows how to use a secret.
.. code-block::
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: ****** #The value must be Base64-encoded.
password: ****** #The value must be encoded using Base64.
.. important::
When a secret is used in a pod, the pod and secret must be in the same cluster and namespace.
.. _cce_01_0016__section472505211214:
Configuring the Data Volume of a Pod
------------------------------------
A secret can be used as a file in a pod. As shown in the following example, the username and password of the **mysecret** secret are saved in the **/etc/foo** directory as files.
.. code-block::
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
In addition, you can specify the directory and permission to access a secret. The username is stored in the **/etc/foo/my-group/my-username** directory of the container.
.. code-block::
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
volumes:
- name: foo
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-username
mode: 511
To mount a secret to a data volume, you can also perform operations on the CCE console. When creating a workload, set advanced settings for the container, choose **Data Storage > Local Volume**, click **Add Local Volume**, and select **Secret**. For details, see :ref:`Secret <cce_01_0053__en-us_topic_0000001199341206_section10197243134710>`.
.. _cce_01_0016__section207271352141216:
Setting Environment Variables of a Pod
--------------------------------------
A secret can be used as an environment variable of a pod. As shown in the following example, the username and password of the **mysecret** secret are defined as an environment variable of the pod.
.. code-block::
apiVersion: v1
kind: Pod
metadata:
name: secret-env-pod
spec:
containers:
- name: mycontainer
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
restartPolicy: Never
View Git Blame Copy Permalink