# Secrets

The Secret resource enables users to store sensitive data. Sensitive information is anything a user considers non-public, e.g.:

  • TLS keys
  • tokens
  • passwords

Secrets belong to a specific Mesh resource, and cannot be shared across different Meshes. Policies use secrets at runtime.

Kuma leverages Secret resources internally for certain operations, for example when storing auto-generated certificates and keys when Mutual TLS is enabled.

    The data field of a Kuma Secret is a Base64 encoded value. Use the base64 command in Linux or macOS to encode any value in Base64:

    # Base64 encode a file
    cat cert.pem | base64
    # or Base64 encode a string
    echo "value" | base64

    # Access to the Secret HTTP API

    Secret API requires authentication. Consult Accessing Admin Server from a different machine for how to configure remote access.

    # Scope of the Secret

    Kuma provides two types of Secrets.

    # Mesh-scoped Secrets

    Mesh-scoped Secrets are bound to a given Mesh. Only this kind of Secrets can be used in Mesh Policies like Provided CA or TLS setting in External Service.

      # Global-scoped Secrets

      Global-scoped Secrets are not bound to a given Mesh and cannot be used in Mesh Policies. Global-scoped Secrets are used for internal purposes. You can manage them just like the regular secrets using kumactl or kubectl.

        # Usage

        Here is an example of how you can use a Kuma Secret with a provided Mutual TLS backend.

        The examples below assumes that the Secret object has already been created beforehand.

          Last Updated: 8/22/2022, 3:23:49 PM