Appearance
Kubernetes Secrets
This page gives an overview of how to use and manage Kubernetes secrets for Metaplay environments.
Appearance
This page gives an overview of how to use and manage Kubernetes secrets for Metaplay environments.
Secrets are objects that store confidential data, such as passwords or API keys, for use in the game server. They help keep sensitive data separate from application code.
This guide walks you through creating your first secret in a cloud environment and using it in your game server.
First, create a secret in your environment using the Metaplay CLI to store credentials for an imaginary service with the name user-some-credentials
. The secret contains two named entries: username
and password
, each with its own value.
For demonstration purposes, the username
is specified directly on the command line and the password
from a file.
# Here we're creating a secret named user-some-credentials on the my-environment environment with keys username and password
MyProject$ metaplay secrets create my-environment user-some-credentials --from-literal=username=myusername --from-file=password=password.txt
Kubernetes secrets can contain multiple named entries. This is useful for grouping several related secret values in a single secret object.
💡 Note
Secret names must begin with the user-
prefix to ensure they do not clash with any built-in secrets in the environment.
To access the secret from your game server code, you'll need to add it to your runtime options.
MySecret:
# The 'kube-secret://' prefix indicates that the value should be resolved from the Kubernetes secret.
# Note that you must refer to the secret with both the secret and key name, using the special syntax.
PasswordSecretPath: "kube-secret://user-some-credentials#password"
This example only reads the password
from the secret, but you can read any other entry as well.
Then, you can resolve the password secret value in your game server code.
[RuntimeOptions("MySecret", isStatic: false, "")]
public class MySecretOptions : RuntimeOptionsBase
{
// PasswordSecretPath is the path to the password secret, defined in Options.yaml.
[MetaDescription("The path to the password secret.")]
public string PasswordSecretPath { get; private set; } = null;
// This is the resolved value for the password. The attributes prevent the value from being logged.
[IgnoreDataMember, Sensitive]
public string ResolvedPassword { get; private set; }
...
public override async Task OnLoadedAsync()
{
// Resolve the value for the password from the Kubernetes secret.
ResolvedPassword = await SecretUtil.ResolveSecretAsync(Log, PasswordSecretPath).ConfigureAwait(false);
}
}
Besides creating Secrets, the Metaplay CLI also provides some utilities to list, delete and show Secrets.
MyProject$ metaplay secrets show my-environment user-some-credentials
MyProject$ metaplay secrets delete my-environment user-some-credentials
MyProject$ metaplay secrets list my-environment
💡 Note
To update a secret, you must first delete the existing secret and then create it again. We'll add an update
command in the future.
The CLI supports showing the secrets in JSON format, which can be useful for programmatic use.
For example, you could use the following to extract a value from a secret into an environment variable:
MyProject$ PASSWORD=$(metaplay secrets show my-environment user-some-credentials --format=json | jq -r .data.password)
You can get more details about the available CLI secrets management commands with metaplay secrets --help
and then for each individual command with, e.g., metaplay secrets list --help
.