As in Kubernetes, Octelium has a dedicated Secret type for storing sensitive data such as API tokens and passwords where they can be used and referenced by other Cluster resources by the Secret's name in order to not store sensitive data along with other Cluster configurations which can be stored in git repositories for example.
Secrets are used by various other Cluster resources such as Services and IdentityProviders. For example, Services use Secrets to provide secret-less access. You can read more about secret-less access here.
Creating a Secret
You can create a Secret via the octeliumctl create secret command using one of the following ways:
Value via Prompt
You can insert your Secret value directly via prompt as follows:
octeliumctl create secret apikey1Enter the secret: <SECRET_VALUE>
From File
You can also get create a Secret from the content of a file as follows:
octeliumctl create secret aws-ssh-pk --file /PATH/TO/SSH/PRIVATE_KEY
TLS Certificate
You can create a Secret from a TLS certificate using the PEM file paths of the certificate chain and its corresponding private key. Such Secret are typically useful for use cases such as using the Secret as a client certificate by a Service to connect to its upstream that is protected by mTLS (read more here).
octeliumctl create secret mtls-k8s-01 --cert /PATH/TO/CERTIFICATE_CHAIN.PEM --cert-key /PATH/TO/CERTIFICATE_PRIVATE_KEY.PEM
Obtaining Secrets
You can also list the Secrets as follows:
octeliumctl get secret
You can also get a certain Secret as follows
octeliumctl get secret <SECRET_NAME>
It is important to understand that the Cluster does not currently expose the
Secret data itself via the API, and consequently the octeliumctl CLI, and
only keeps the Secret actual sensitive value for itself internally. In other
words, the octeliumctl get secret command only exposes the Secret resource
without its data field which actually contains the Secret sensitive data.
Deleting a Secret
You can also delete a Secret as follows:
octeliumctl delete secret <SECRET_NAME>
Secret Storage
Just like in Kubernetes, Octelium Cluster by default stores a Secret's data in plaintext just like any other Cluster resource. However, Octelium gives you the ability to develop your own secret manager/vault by providing a gRPC interface (see here) where you can intercept Secret Create/Get/Update/List/Delete operations coming to the ResourceServer and store the Secret in your secret store according to your needs and requirements.
Octelium provides a commercial scalable Secret encryption management at rest that integrates with AWS KMS, Google Cloud KMS, Azure Vault Key, Hashicorp Vault as well as other secret managers and vaults on demand. You can see the list of our offerings here.