# Secrets

Kuma provides a built-in interface to store sensitive information such as TLS keys and tokens that can be used later on by any policy at runtime. This functionality is being implemented by introducing a Secret resource.

Secrets belong to a specific Mesh resource, and cannot be shared across different Meshes.

Kuma will also leverage Secret resources internally for certain operations, for example when storing auto-generated certificates and keys when Mutual TLS is enabled.

    The data field of a Kuma Secret should always be a Base64 encoded value. You can use the base64 command in Linux or macOS to encode any value in Base64:

    # Base64 encode a file
    cat cert.pem | base64
    # or Base64 encode a string
    echo "value" | base64

    # Access to the Secret HTTP API

    This API requires authentication. Consult Accessing Admin Server from a different machine how to configure remote access.

    # Scope of the Secret

    Kuma provides two types of Secrets.

    # Mesh-scoped Secrets

    Mesh-scoped Secrets are bound to a given Mesh. Only this kind of Secrets can be used in Mesh Policies like Provided CA or TLS setting in External Service.

      # Global-scoped Secrets

      Global-scoped Secrets are not bound to a given Mesh and cannot be used in Mesh Policies. They are used for internal purposes. You can manage them just like the regular secrets using kumactl or kubectl.

        # Usage

        Here is example of how you can use a Kuma Secret with a provided Mutual TLS backend.

        The examples below assume that the Secret object has already been created before-hand.

          Last Updated: 1/18/2022, 12:31:35 PM