Pi Docs
  • Overview
  • What is Pi
  • How It Works
  • Benefits
  • Features
  • Pricing
  • Quota and Limits
  • FAQ
  • Quickstart
    • Install CLI
    • Launch Your First Pod
    • Understand the network
    • Use Volume for Stateful Workload
    • Use Private Image
  • Feature
    • Pod
    • Rootfs
    • Job
    • Volume
    • Floating IP
    • Network
    • Service
    • Secret
    • Region and Zone
  • Reference
    • CLI
      • Info
      • Pod
        • run
        • create
        • delete
        • exec
        • logs
        • get
        • describe
      • Job
        • create
        • delete
        • get
        • describe
      • Service
        • create
        • get
        • describe
        • delete
      • Secret
        • create
        • get
        • describe
        • delete
      • Volume
        • create
        • get
        • delete
      • Floating IP
        • create
        • get
        • name
        • delete
    • API/v1.9
      • Info
        • Get
      • Event
        • Get
      • Pod
        • Create
        • List
        • Read
        • Log
        • Exec
        • Delete
      • Job
        • Create
        • List
        • Read
        • Delete
      • Service
        • Create
        • List
        • Get
        • Delete
      • Secret
        • Create
        • List
        • Get
        • Delete
      • Volume
        • Create
        • List
        • Get
        • Delete
      • Floating IP
        • Create
        • List
        • Get
        • Name
        • Delete
  • FAQ
    • Privacy Policy
    • Terms of Service
    • Acceptable Use Policy
  • Docs version
Powered by GitBook
On this page
  • Creating a Docker registry secret
  • Referring to an imagePullSecrets on a Pod
  • Limits
  • Secret and Pod Lifetime interaction
  1. Feature

Secret

PreviousServiceNextRegion and Zone

Last updated 7 years ago

In Pi, objects of type secret are intended to hold sensitive information. Putting this information in a secret is safer and more flexible than putting it verbatim in a pod definition or in a docker image. See for more information.

Currently, we only support Docker registry and generic secret, which is equivalent to .

Secret is regional, e.g. you need to create secrets in different regions separately.

Creating a Docker registry secret

To create a new secret, use:

$ pi create secret docker-registry my-secret --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
  • docker-email: Email for Docker registry

  • docker-password: Password for Docker registry authentication

  • docker-server: Server location for Docker registry (Default: )

  • docker-username: Username for Docker registry authentication

Referring to an imagePullSecrets on a Pod

Now, you can create pods which reference that secret by adding an imagePullSecrets section to a pod definition.

apiVersion: v1
kind: Pod
metadata:
  name: foo
  namespace: awesomeapps
spec:
  containers:
    - name: foo
      image: janedoe/awesomeapp:v1
  imagePullSecrets:
    - name: myregistrykey

Limits

  • Max secret size: 4kb

  • Max secrets per region: 8

Secret and Pod Lifetime interaction

When a pod is created via the API, there is no check whether a referenced secret exists. Once a pod is scheduled, the kubelet will try to fetch the secret value. If the secret cannot be fetched because it does not exist or because of a temporary lack of connection to the API server, the system will periodically retry until the secret is successfully fetched.

Secrets design document
kubectl create secret docker-registry
https://index.docker.io/v1/