If you are deploying your applications to kubernetes it’ s likely that you are using Secrets
to manage your sensitive data. More and more tools aim to make working with them easier. Secret
is a simple resource. In addition to usual kubernetes resource fields, it has a type
and data
. The expected data
keys change depending on the value of the data. This is where the tooling can help. The available documentation that covers types and data keys to guide the developers is scarce. So here is my attempt for one.
Opaque
This is the default secret type that can be used for defining arbitrary user-defined data.
Service Account Token (kubernetes.io/service-account-token)
Contains a token that identifies a service account to the API
Data Key | Definition | Required |
---|---|---|
token | A token that identifies the service account to the API | Yes |
kubernetes.kubeconfig | kubeconfig data for service account token | No |
ca.crt | Root certificate authority | No |
namespace | Namespace to use as the default for namespaced API calls | No |
It also requires annotations on the secret
Annotation | Definition | Required |
---|---|---|
kubernetes.io/service-account.name | The name of the ServiceAccount the token identifies | Yes |
kubernetes.io/service-account.uid | the UID of the ServiceAccount the token identifies | Yes |
Dockercfg (kubernetes.io/dockercfg)
Contains a dockercfg file that follows the same format rules as ~/.dockercfg
Data Key | Definition | Required |
---|---|---|
.dockercfg | a serialized ~/.dockercfg file | Yes |
Docker Config JSON (kubernetes.io/dockerconfigjson)
Contains a dockercfg file that follows the same format rules as ~/.docker/config.json
Data Key | Definition | Required |
---|---|---|
.dockerconfigjson | a serialized ~/.docker/config.json file | Yes |
Basic Authentication (kubernetes.io/basic-auth)
Contains data needed for basic authentication.
Data Key | Definition | Required |
---|---|---|
username | username used for authentication | Yes |
password | password or token needed for authentication | Yes |
SSH Authentication (kubernetes.io/ssh-auth)
Contains data needed for SSH authentication.
Data Key | Definition | Required |
---|---|---|
ssh-privatekey | private SSH key needed for authentication | Yes |
TLS (kubernetes.io/tls)
Contains information about a TLS client or server secret. It’ s primarily used with TLS termination of the Ingress resource, but may be used in other types.
Data Key | Definition | Required |
---|---|---|
tls.key | TLS private key | Yes |
tls.crt | TLS certificate | Yes |
Bootstrap Token (bootstrap.kubernetes.io/token)
Used during the automated bootstrap process (first implemented by kubeadm). It stores tokens that are used to sign well known ConfigMaps. They’ re used for authentication.