In this article, we explain the concept of secret, how to use it on the ArvanCloud cloud platform, different secret types and components, and how to define each one.

Prerequisites of Using Secret on the ArvanCloud Cloud Platform

The system’s only prerequisite is to have an ArvanCloud account and access to the ArvanCloud cloud platform. You should complete the following steps:

  • Open the ArvanCloud website: www.arvancloud.ir,
  • Create an account or use your account to log in,
  • Go to the Profile section,
  • Create an API Key in the API KEYS tab,
  • Save the API Key.

To perform the steps, you will require the ArvanCloud command line. Therefore,

  • Use this link to download the command line,
  • (Put it in your PATH and give executive access to it, if required),
  • And login via the command line:
  • Paste the API KEY that you received from the site in the above command line.

What is Secret?

You can employ a secret to retaining information such as passwords, tokens, and sensitive information. You can transfer the data stored on the secret (in the VOLUME or the ENV format) to a path inside the Pod. For example, to make the Pod access to an MYSQL database, you can use the ENV to transfer the database username and password to the Pod in the secret format. The process running inside the Pod employs this variable to implementing its queries on the database.

You can transfer this information to the Pod directly. However, the advantage of employing a secret is that you can define it only once and apply it to several Pods and Deployments.

How to Create a Secret

To create a secret, complete the following steps:

  • Insert the required information into a YALM file,
  • Use the command line to introduce it to the ArvanCloud cloud platform.

In the following lines, we explain a simple example of a secret containing the required information for connecting to an MYSQL database.

Hint: Notice that indentation in YALM files is essential, and even the smallest replacement may cause an error or unwanted settings to revert.

Keep on reading the following lines to comprehend the relevant field:

  • kind: This field determines the nature type. It can have values such as StateFulSet, Service, Secret, Pod, so on. This example objective is to explain how to use a secret, so the field value must also be secret.
  • name: It determines the name of the secret.
  • type: It determines the sort of the secret. Here, we have selected the Opaque that is the usual type of using a secret. There is a brief explanation of different secret types in the following lines.
  • data: You have to usually enter the data inside the secret in the form of Key: Value. Two major parts that can include data are Data and StringData. The main difference between these two parts is how to introduce the value. In the case of the former one, you have to enter the data in the base64 format. However, when it comes to the latter one, the data is introduced in the Plain format, and the ArvanCloud cloud platform converts it into the base64 format automatically. For example, there is a data named Password in the preceding lines, the value of which is equal to “==bXlwYXNad29yZA” that is equal to the “mypassword” phrase in the base64 value. On the other hand, two username and hostname values have been entered in the StringData that their values are in plain format.

Insert the preceding line into a file named secret.yaml and save the file. Then, use the following command in the command line to introduce the secret to the arvanCloud cloud platform.

Apply the following command to get aware of its status and implementation on the ArvanCloud cloud platform.

The output will be something like the following.

As you see in the above output, there are some prefabricated secrets in your project. These secrets are for the project’s basic settings, so do not change or delete them at all.

Apply the following command to view your secret.

The output will be something similar to the following figure.

As you can see in the preceding output, every value introduced to the secret has been stored in the base64 format. The ArvanCloud cloud platform even converts the username and hostname values into base64.

How to Create a Secret using Command Line

An easier way of creating a secret is to use the “arvan pass create secret” command in the command line. Read an example in the following lines.

The above command creates a secret named db-secret, similar to the YAML file explained earlier. The keyword “generic” is one of the significant components of the above command. When using the command line, you can apply one of these options: tls, generic, or docker-registry.

You can employ generic to assign the values to the secret through the form-literal– option and in the form of Key=Value.

If you need to define a secret to receive an image container from a docker registry, use the docker-registry instead of generic.

How to Create a Secret for the Docker Registry

On some occasions, you may intend to employ some image containers in your Pod that are not available in public, and you need access information, username, and password to pull anything from them. In such a case, you can employ a specific secret in Pod settings. We are going to explain how to define and use this secret type.

Apply the above command to create a docker-registry secret named private-reg.

How to Use Secret

In this section, there is an example of a WordPress deployment. The secret employs ENV to give the Pod access information to the MYSQL database. This deployment also uses an image container on the private docker registry that you have created a secret to accessing it in the preceding section. The access information to the docker registry has been introduced through the ImagePullSecret.

Insert the following information into a file named wordpress-deploy.yaml. For more information about deployment, read the article titled How to Use Deployment on the ArvanCloud Cloud Platform.

Hint: Be noted that indentation in the YAML files is essential, and even the smallest movement may cause an error or unwanted settings to revert.

The following lines are for you to understand the fields added to the deployment that you have to use in the created secrets.

  • template.spec.containers.valueForm: This field determines the environment variable value that should be read from the secret.
  • template.spec.containers.valueForm.key: It determines the key name inside the secret, the value of which is used by the environment variable.
  • template.spec.containers.valueForm.secret: This field determines the secret name which the environment variable uses.
  • template.spec.imagePullSecret.name: It determines the name of the secret that includes necessary information for pulling the image container from the docker registry.

Besides the ENV, you can employ and mount the Pod secret in the VOLUME format. Read a brief explanation of how to do it in the following lines.

How to Use Secret in the Volume Format

Another way of applying a secret is to use it in the VOLUME format and mounting it into the Pod. One of the benefits of this method is to employ the secret to introduce the configs or files containing the keys to the Pod. To use this method, complete some simple steps:

  • Define a volume for the Pod,
  • Introduce the secret name as a disk to the Pod.

We are going to present an example in the following lines.

Suppose that you intend to mount the content of the db-secret, which you have created in the previous sections, into another deployment. You have to complete the following steps to do so.

Hint: Notice that indentation in the YAML files is essential, and even the smallest movement may cause an error or unwanted settings to revert.

Keep on reading to get familiar with the fields that you should add to the deployment to use the secret in the VOLUME format.

  • template.spec.containers.volumeMount: This field determines the name and the location in which the secret is mounted. Define it as the volumes used so far.
  • template.spec.volumes: This field introduces the secret specifications.
  • template.spec.volumes.name: It determines the volume in which the secret is mounted.
  • template.spec.volumes.secret: This field determines that the secret is mounted into the volume.
  • template.spec.volumes.secret.secretName: It determines the secret name.

Having implemented the above file, open the Pod and go to the determined path to see that every field defined for the secret is a separate file in a specified location.

Different Types of Secret

When defining a secret in the YAML format, you have to determine its type. This field defines the structure of the Key values and the value inside the secret. Generally, you can always use the Opaque type. The other types are for the value and the Key value validation by which the creator makes sure of using the correct structure. Therefore, they do not change the secret function, so you can always employ the Opaque type.

The followings are the types that do some validations on the secrets for the ArvanCloud cloud platform.

  • io/service-account-token
  • io/dockercfg
  • io/dockerconfigjson
  • io/basic-auth
  • io/ssh-auth
  • io/tls

We do not explain the above types in this article. You can employ the Opaque type unless you know the types (be noted that for creating a secret for the docker registry, using the command line is recommended).

Visit the OKD and Kubernetes documents for more information.