Secret

When defining a datasource, you will probably need to provide a basic authentication, a certificate, or a token to be used when the Perses backend will contact your Datasource.

We have two different objects to store sensitive data: GlobalSecret and Secret. You should use one or the other depending on which object your datasource corresponds to.

  • To store sensitive data for a GlobalDatasource, you need to create a GlobalSecret.
  • For a Datasource object or a datasource defined directly in a dashboard, you need to create a Secret. GlobalSecret cannot be used here.

A Secret is defined like that:

kind: "Secret"
metadata:
  project: <string>
  name: <string>
spec: <secret_specification>

And a GlobalSecret:

kind: "GlobalSecret"
metadata:
  name: <string>
spec: <secret_specification>

See the next section to get details about the <secret_specification>

Secret specification

  [ basicAuth: <basic_auth_spec> ]

  # The HTTP authorization credentials for the targets.
  # Basic Auth and authorization are mutually exclusive. Use one or the other not both at the same time.
  [ authorization: <authorization_spec> ]

  # Config used to connect to the targets.
  [ tlsConfig: <tls_config_spec> ]

<basic_auth_spec>

  username: <string>
  [ password: <string> ]
  [ passwordFile: <filename> ]

<authorization_spec>

  [ type: <string> | default = "Bearer" ]

  # The HTTP credentials like a Bearer token
  [ credentials: <string> ]
  [ credentialsFile: <filename> ]

<tls_config_spec>

  # CA certificate to validate API server certificate with. At most one of ca and ca_file is allowed.
  [ ca: <secret> ]
  [ caFile: <filename> ]

  # Certificate and key for client cert authentication to the server.
  # At most one of cert and cert_file is allowed.
  # At most one of key and key_file is allowed.
  [ cert: <secret> ]
  [ certFile: <filename> ]
  [ key: <secret> ]
  [ keyFile: <filename> ]

  # ServerName extension to indicate the name of the server.
  # https://tools.ietf.org/html/rfc4366#section-3.1
  [ serverName: <string> ]

  # Disable validation of the server certificate.
  [ insecureSkipVerify: <boolean> | default = false ]

Example

kind: "Secret"
metadata:
  project: <string>
  name: <string>
spec:
  authorization:
    type: "Bearer"
    credentials: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
  tlsConfig:
    insecureSkipVerify: false

API definition

Secret

Get a list of Secret

GET /api/v1/projects/<project_name>/secrets

URL query parameters:

  • name = <string> : filters the list of secrets based on their names (prefix).

Get a single Secret

GET /api/v1/projects/<project_name>/secrets/<secret_name>

Create a single Secret

POST /api/v1/projects/<project_name>/secrets

Update a single Secret

PUT /api/v1/projects/<project_name>/secrets/<secret_name>

Delete a single Secret

DELETE /api/v1/projects/<project_name>/secrets/<secret_name>

Global Secret

Get a list of global Secret

GET /api/v1/globalsecrets

URL query parameters:

  • name = <string> : filters the list of global secrets based on their names (prefix).

Get a single global Secret

GET /api/v1/globalsecrets/<name>

Create a single global Secret

POST /api/v1/globalsecrets

Update a single global Secret

PUT /api/v1/globalsecrets/<name>

Delete a single global Secret

DELETE /api/v1/globalsecrets/<name>