Within App Platform, secrets are securely encrypted and stored in your Values Git repository using Sealed Secrets. When you create a secret, it generates a standard Kubernetes Secret in your team's namespace that can be used like any other Kubernetes Secret.

View secrets

To view a list of secrets belonging to your team, click on Secrets in the main menu of the App Platform Console while in the Team view. The resulting table lists each secret alongside the type and status.

Create a secret

1. Provide a name for the secret. The Kubernetes Secret will have the same name.

2. Select Immutable if the data of the secret (and the Kubernetes secret) cannot be updated after the Sealed Secret has been created. When the secret is Immutable, only the metadata can be modified after creation.

3. Select one of the following types:

   • Opaque (kubernetes.io/opaque) - This is the default type in Kubernetes. Learn more.
   • Docker config (kubernetes.io/dockercfg)
   • Docker config (JSON) (kubernetes.io/dockerconfigjson)
   • Basic authentication (kubernetes.io/basic-auth)
   • SSH authentication (kubernetes.io/ssh-auth)
   • TLS (kubernetes.io/tls)

4. Enter the encrypted data for your secret. This step is dependent on the type of key selected in the previous step. Review the encrypted data section below for further details.

5. Enter any metadata to be stored alongside the secret. This step may be optional or required, depending on the type of secret. Review the encrypted data section below for any required metadata. The following types of metadata are available:

   • Labels
   • Annotations
   • Finalizers

   If you need more than one of any type, click the corresponding Add button.

📘

The secret value will only be visible at the time of creation. After creation, the value field will display asterisks **** to indicate the data is encrypted and cannot be revealed through the interface, though it can be overwritten. To overwrite the secret, click on the lock 🔒` icon next to the value field, enter the new secret value, and click on Save Changes.

Encrypted data by secret type

Opaque

Opaque Secrets consist of one or more key-value pairs as described below. Review the opaque secrets documentation for more details.

Docker config

Docker config Secrets consist of a single key-value pair as described below. Review the Docker config Secrets documentation for more details.

Docker config (JSON)

Docker config Secrets formatted in JSON consist of a single key-value pair as described below. Review the Docker config Secrets documentation for more details.

Example of a config.json:

{
"auths": {
  "my-registry.example:5000": {
    "username":"tiger",
    "password":"pass1234",
    "email":"tiger@acme.example",
    "auth":"the-authentication-key"
    }
  }
}

Use the following command to create the json:

email="not@us.ed" # can be something else if the registry provider expects it, but usually this is ignored
server="" # example: "https://harbor.myclusterid.akamai-apl.net/"
username="" # your username
password="" # your password, can be token
kubectl create secret docker-registry --dry-run=client regcred --docker-email=$email --docker-server=$server --docker-username=$username --docker-password=$password -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode

Basic authentication

Basic authentication Secrets consist of two key-value pairs as described below. Review the Basic authentication Secrets documentation for more details.

SSH authentication

SSH authentication Secrets consist of a single key-value pair as described below. Review the SSH authentication Secrets documentation for more details.

TLS

TLS Secrets consist of two key-value pairs as described below. Review the TLS Secrets documentation for more details.