search

Secret

In Pi, objects of type secret are intended to hold sensitive information. Putting this information in a secret is safer and more flexible than putting it verbatim in a pod definition or in a docker image. See Secrets design documentarrow-up-right for more information.

Currently, we only support Docker registry and generic secret, which is equivalent to kubectl create secret docker-registryarrow-up-right.

Secret is regional, e.g. you need to create secrets in different regions separately.

hashtag
Creating a Docker registry secret

To create a new secret, use:

$ pi create secret docker-registry my-secret --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL

  • docker-email: Email for Docker registry

  • docker-password: Password for Docker registry authentication

  • docker-server: Server location for Docker registry (Default: https://index.docker.io/v1/arrow-up-right)

  • docker-username: Username for Docker registry authentication

hashtag
Referring to an imagePullSecrets on a Pod

Now, you can create pods which reference that secret by adding an imagePullSecrets section to a pod definition.

apiVersion: v1
kind: Pod
metadata:
  name: foo
  namespace: awesomeapps
spec:
  containers:
    - name: foo
      image: janedoe/awesomeapp:v1
  imagePullSecrets:
    - name: myregistrykey

hashtag
Limits

  • Max secret size: 4kb

  • Max secrets per region: 8

hashtag
Secret and Pod Lifetime interaction

When a pod is created via the API, there is no check whether a referenced secret exists. Once a pod is scheduled, the kubelet will try to fetch the secret value. If the secret cannot be fetched because it does not exist or because of a temporary lack of connection to the API server, the system will periodically retry until the secret is successfully fetched.

PreviousServiceNextRegion and Zone

Last updated