Appearance
Kubernetes Secrets
This page gives an overview of how to use and manage Kubernetes Secrets for Metaplay environments.
Skip to content
Dependencies
- Install the Metaplay CLI — You need the Metaplay CLI tool to manage Kubernetes Secrets.
Key Concepts
- Secrets are objects that store confidential data, such as passwords or API keys, for use in the game server. They help keep sensitive data separate from application code.
Overview
This guide walks you through creating your first Secret in a cloud environment and using it in your game server.
Create a Secret
First, create a Secret in your environment using the Metaplay CLI to store the credentials. We'll use an imaginary service with the name user-some-credentials. The Secret will contain two named entries: username and password, each with its own value.
For demonstration purposes, the username will be specified directly on the command line and the password will be sourced from a file.
bash
# Here we're creating a secret named user-some-credentials on the my-environment environment with keys username and password
MyProject$ metaplay secrets create my-environment user-some-credentials --from-literal=username=myusername --from-file=password=password.txtKubernetes Secrets can contain multiple named entries. This is useful for grouping several related Secret values in a single Secret object.
💡 Note
Secret names must begin with the user- prefix to ensure they do not clash with any built-in Secrets in the environment.
Access the Secret
To access the Secret from your game server code, you'll need to add it to your runtime options.
Options.<env>.yaml
yaml
MySecret:
# The 'kube-secret://' prefix indicates that the value should be resolved from the Kubernetes secret.
# Note that you must refer to the secret with both the secret and key name, using the special syntax.
PasswordSecretPath: "kube-secret://user-some-credentials#password"This example only reads the password from the Secret, but you can read any other entry as well.
Then, you can resolve the password Secret value in your game server code.
csharp
[RuntimeOptions("MySecret", isStatic: false, "")]
public class MySecretOptions : RuntimeOptionsBase
{
// PasswordSecretPath is the path to the password secret, defined in Options.yaml.
[MetaDescription("The path to the password secret.")]
public string PasswordSecretPath { get; private set; } = null;
// This is the resolved value for the password. The attributes prevent the value from being logged.
[IgnoreDataMember, Sensitive]
public string ResolvedPassword { get; private set; }
...
public override async Task OnLoadedAsync()
{
// Resolve the value for the password from the Kubernetes secret.
ResolvedPassword = await SecretUtil.ResolveSecretAsync(Log, PasswordSecretPath).ConfigureAwait(false);
}
}Managing Secrets
Besides creating Secrets, the Metaplay CLI also provides some utilities to list, delete and show Secrets.
bash
MyProject$ metaplay secrets show my-environment user-some-credentials
MyProject$ metaplay secrets delete my-environment user-some-credentials
MyProject$ metaplay secrets list my-environment💡 Note
To update a secret, you must first delete the existing Secret and then create it again. We'll add an update command in the future.
Programmatic Use
The CLI supports showing the Secrets in JSON format, which can be useful for programmatic use.
For example, you could use the following command to extract a value from a Secret into an environment variable:
bash
MyProject$ PASSWORD=$(metaplay secrets show my-environment user-some-credentials --format=json | jq -r .data.password)Further Reading
You can get more details about the available CLI Secrets management commands with metaplay secrets --help, or for individual commands with metaplay secrets [command] --help. Here's an example with the list command:
bash
MyProject$ metaplay secrets list --help