deployment URL
and code
will be saved.username
is the literal string <token>
.Username & Password
Keys
Example:
auth
Key
auth
key is the base64 encoded result of the string USERNAME:PASSWORD
.auth
key is the base64 encoded result of the string USERNAME:DOCKER_ACCESS_TOKEN
.base64
utility can be used to easily encode the string.Example: echo -n USERNAME:PASSWORD | base64
Azure Service Principal
is recommended as the identity used to pull images.
Refer to this article to create an Azure Service Principal that only has the pull permission.
REGISTRY_NAME.azurecr.io
and can be obtained from the Azure Container Registry
section of the Azure Portal.--years
flag when running the az ad sp create-for-rbac
command during the creation of a Service Principal.read:packages
scope) is required.
Example:
Elastic Container Registry
service with the Read
action on the specific repositories.Google Container Registry
.Sample Key Pair
cpln://secret/SECRET_NAME.payload
cpln://secret/SECRET_NAME
(without the .payload)
encoding
property will be set to base64
. It is the responsibility of the user to perform the base64 decode.base64: "{\"payload\":\"VGhpcyBpcyBhbiBvcGFxdWUgaW4gYmFzZTY0\",\"encoding\":\"base64\"}"
plain text: "{\"payload\":\"The is an opaque secret in plain text\",\"encoding\":\"plain\"}"
Sample TLS
Permission | Description | Implies |
---|---|---|
create | Create new secrets | |
delete | Delete secrets | |
edit | Modify existing secrets | view, reveal |
manage | Full access | create, delete, edit, manage, reveal, use, view |
reveal | Reveal the plaintext of the secret | view |
use | Refer to this secret from other entities (gvcs, cloudaccounts, etc) | view |
view | Read-only access excluding plaintext |
reveal
permission.
For example, when using a secret as the value of an environment variable for a container, the identity assigned to the workload must have the reveal
permission set on the assigned secret using a policy.
When configuring the environment variable, the value of the variable will be in the following format: cpln://secret/SECRET_NAME
. The image running within the container will be able to access the plaintext of the secret by referring to the name of the configured environment variable.
use
permission.
For example, if the image assigned to a container belongs to a private Docker registry, a pull secret for that registry must be added to the associated GVC. The user that is configuring this application must have the use
permission set on the secret (using a policy) to be able to add it as a pull secret.