Kuma provides a built-in interface to store sensitive information such as TLS keys and tokens that can be used later on by any policy at runtime. This functionality is being implemented by introducing a
Secrets belong to a specific
Mesh resource, and cannot be shared across different
Kuma will also leverage
Secret resources internally for certain operations, for example when storing auto-generated certificates and keys when Mutual TLS is enabled.
data field of a Kuma
Secret should always be a Base64 encoded value. You can use the
base64 command in Linux or macOS to encode any value in Base64:
# Base64 encode a file $ cat cert.pem | base64 # or Base64 encode a string $ echo "value" | base64
# Access to the Secret HTTP API
This API requires authentication. Consult Accessing Admin Server from a different machine how to configure remote access.
# Scope of the Secret
Kuma provides two types of Secrets.
# Mesh-scoped Secrets
Mesh-scoped Secrets are bound to a given Mesh. Only this kind of Secrets can be used in Mesh Policies like Provided CA or TLS setting in External Service.
# Global-scoped Secrets
Global-scoped Secrets are not bound to a given Mesh and cannot be used in Mesh Policies. They are used for internal purposes.
You can manage them just like the regular secrets using
Here is example of how you can use a Kuma
Secret with a
provided Mutual TLS backend.
The examples below assume that the
Secret object has already been created before-hand.