Manage secrets

The Secret resource enables users to store sensitive data. Sensitive information is anything a user considers non-public, e.g.:

• TLS keys
• tokens
• passwords

Secrets belong to a specific Mesh resource, and cannot be shared across different Meshes. Policies use secrets at runtime.

Kong Mesh leverages Secret resources internally for certain operations, for example when storing auto-generated certificates and keys when Mutual TLS is enabled.

apiVersion: v1
kind: Secret
metadata:
  name: sample-secret
  namespace: kong-mesh-system # Kong Mesh will only manage secrets in the same namespace as the CP
  labels:
    kuma.io/mesh: default # specify the Mesh scope of the secret
data:
  value: dGVzdAo= # Base64 encoded
type: system.kuma.io/secret # Kong Mesh will only manage secrets of this type

echo "apiVersion: v1
kind: Secret
metadata:
  name: sample-secret
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default
data:
  value: dGVzdAo=
type: system.kuma.io/secret" | kubectl apply -f -

kubectl get secrets -n kong-mesh-system --field-selector='type=system.kuma.io/secret'
# NAME            TYPE                    DATA   AGE
# sample-secret   system.kuma.io/secret   1      3m12s

type: Secret
name: sample-secret
mesh: default
data: dGVzdAo= # Base64 encoded

echo "type: Secret
mesh: default
name: sample-secret
data: dGVzdAo=" | kumactl apply -f -

The data field of a Kong Mesh Secret is a Base64 encoded value. Use the base64 command in Linux or macOS to encode any value in Base64:

# Base64 encode a file
cat cert.pem | base64

# or Base64 encode a string
echo "value" | base64

Access to the Secret HTTP API

Secret API requires authentication. Consult Accessing Admin Server from a different machine for how to configure remote access.

Kong Mesh provides two types of Secrets.

Mesh-scoped Secrets

Mesh-scoped Secrets are bound to a given Mesh. Only this kind of Secrets can be used in Mesh Policies like Provided CA or TLS setting in External Service.

apiVersion: v1
kind: Secret
metadata:
  name: sample-secret
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default # specify the Mesh scope of the secret
data:
  value: dGVzdAo=
type: system.kuma.io/secret

type: Secret
name: sample-secret
mesh: default # specify the Mesh scope of the secret
data: dGVzdAo=

Global-scoped Secrets

Global-scoped Secrets are not bound to a given Mesh and cannot be used in Mesh Policies. Global-scoped Secrets are used for internal purposes. You can manage them just like the regular secrets using kumactl or kubectl.

apiVersion: v1
kind: Secret
metadata:
  name: sample-secret
  namespace: kong-mesh-system
data:
  value: dGVzdAo=
type: system.kuma.io/global-secret

type: GlobalSecret
name: sample-global-secret
data: dGVzdAo=

The Secrets are synced from global to zones, not the other way around as this would risk exposing sensitive information.

If there’s a name conflict between a secret on global and on zone, then the secret is not overwritten and a warning will appear in the logs.

Here is an example of how you can use a Kong Mesh Secret with a provided Mutual TLS backend.

The examples below assumes that the Secret object has already been created beforehand.

type: Mesh
name: default
mtls:
  backends:
    - name: ca-1
      type: provided
      config:
        cert:
          secret: my-cert # name of the Kong Mesh Secret
        key:
          secret: my-key # name of the Kong Mesh Secret

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    backends:
      - name: ca-1
        type: provided
        config:
          cert:
            secret: my-cert # name of the Kubernetes Secret
          key:
            secret: my-key # name of the Kubernetes Secret