Aug 28, 2020

Secrets and Types

If you are deploying your applications to kubernetes it’ s likely that you are using Secrets to manage your sensitive data. More and more tools aim to make working with them easier. Secret is a simple resource. In addition to usual kubernetes resource fields, it has a type and data. The expected data keys change depending on the value of the data. This is where the tooling can help. The available documentation that covers types and data keys to guide the developers is scarce. So here is my attempt for one.

Opaque

This is the default secret type that can be used for defining arbitrary user-defined data.

Service Account Token (kubernetes.io/service-account-token)

Contains a token that identifies a service account to the API

Data Key Definition Required
token A token that identifies the service account to the API Yes
kubernetes.kubeconfig kubeconfig data for service account token No
ca.crt Root certificate authority No
namespace Namespace to use as the default for namespaced API calls No

It also requires annotations on the secret

Annotation Definition Required
kubernetes.io/service-account.name The name of the ServiceAccount the token identifies Yes
kubernetes.io/service-account.uid the UID of the ServiceAccount the token identifies Yes

Dockercfg (kubernetes.io/dockercfg)

Contains a dockercfg file that follows the same format rules as ~/.dockercfg

Data Key Definition Required
.dockercfg a serialized ~/.dockercfg file Yes

Docker Config JSON (kubernetes.io/dockerconfigjson)

Contains a dockercfg file that follows the same format rules as ~/.docker/config.json

Data Key Definition Required
.dockerconfigjson a serialized ~/.docker/config.json file Yes

Basic Authentication (kubernetes.io/basic-auth)

Contains data needed for basic authentication.

Data Key Definition Required
username username used for authentication Yes
password password or token needed for authentication Yes

SSH Authentication (kubernetes.io/ssh-auth)

Contains data needed for SSH authentication.

Data Key Definition Required
ssh-privatekey private SSH key needed for authentication Yes

TLS (kubernetes.io/tls)

Contains information about a TLS client or server secret. It’ s primarily used with TLS termination of the Ingress resource, but may be used in other types.

Data Key Definition Required
tls.key TLS private key Yes
tls.crt TLS certificate Yes

Bootstrap Token (bootstrap.kubernetes.io/token)

Used during the automated bootstrap process (first implemented by kubeadm). It stores tokens that are used to sign well known ConfigMaps. They’ re used for authentication.

Read more →