Sealed Secrets are encrypted Kubernetes secrets. The encrypted secrets are stored in the Values Git repository. When a Sealed Secrets secret is created in the Console, the Kubernetes Secret will appear in the team's namespace and can be used as you would use any secret that you would have created directly.

View Sealed Secrets

To view a list of Sealed Secrets belonging to your team, click on Sealed Secrets in the main menu of the App Platform Console while in the Team view. The resulting table lists each sealed secret alongside the type and status.

Create a Sealed Secret

1. Provide a name for the Sealed Secret. The Kubernetes secret will have the same name.

2. Select Immutable if the data of the Sealed Secret (and the Kubernetes secret) can not be updated after the Sealed Secret has been created. When the Sealed Secret is Immutable, only the metadata can be modified after creation.

3. Select one of the following types:

   • Opaque (kubernetes.io/opaque)
   • ServiceAccount token (kubernetes.io/service-account-token)
   • Docker config (kubernetes.io/dockercfg)
   • Docker config (JSON) (kubernetes.io/dockerconfigjson)
   • Basic authentication (kubernetes.io/basic-auth)
   • SSH authentication (kubernetes.io/ssh-auth)
   • TLS (kubernetes.io/tls)

4. Enter the encrypted data for your secret. This step is dependent on the type of key selected in the previous step. Review the encrypted data section below for further details.

5. Enter any metadata to be stored alongside the secret. This step may be optional or required, depending on the type of secret. Review the encrypted data section below for any required metadata. The following types of metadata are available:

   • Annotations
   • Finalizers
   • Labels

   If you need more than one of any type, click the corresponding Add Item button.

📘

The secret value will only be visible at the time of creation or once it has been successfully synchronized with the cluster.

Encrypted data by secret type

Opaque

Opaque Secrets consist of one or more key-value pairs as described below. Review the opaque secrets documentation for more details.

ServiceAccount token

ServiceAccount token Secrets consist of a single key-value pair as described below. Review the ServiceAccount token Secrets documentation for more details.

You need to ensure that the kubernetes.io/service-account.name annotation is set to an existing ServiceAccount name. See the metadata step in the overall instructions above for adding annotations.

Docker config

Docker config Secrets consist of a single key-value pair as described below. Review the Docker config Secrets documentation for more details.

Docker config (JSON)

Docker config Secrets formatted in JSON consist of a single key-value pair as described below. Review the Docker config Secrets documentation for more details.

Example of a config.json:

{
"auths": {
  "my-registry.example:5000": {
    "username":"tiger",
    "password":"pass1234",
    "email":"tiger@acme.example",
    "auth":"the-authentication-key"
    }
  }
}

Use the following command to create the json:

email="not@us.ed" # can be something else if the registry provider expects it, but usually this is ignored
server="" # example: "https://harbor.myclusterid.akamai-apl.net/"
username="" # your username
password="" # your password, can be token
kubectl create secret docker-registry --dry-run=client regcred --docker-email=$email --docker-server=$server --docker-username=$username --docker-password=$password -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode

Basic authentication

Basic authentication Secrets consist of two key-value pairs as described below. Review the Basic authentication Secrets documentation for more details.

SSH authentication

SSH authentication Secrets consist of a single key-value pair as described below. Review the SSH authentication Secrets documentation for more details.

TLS

TLS Secrets consist of two key-value pairs as described below. Review the TLS Secrets documentation for more details.