Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 54. SecretService

54.1. CountSecrets
Copy link

GET /v1/secretscount

CountSecrets returns the number of secrets.

54.1.1. Description
Copy link

54.1.2. Parameters
Copy link

54.1.2.1. Query Parameters
Copy link

Expand
NameDescriptionRequiredDefaultPattern

query

 

-

null

 

pagination.limit

 

-

null

 

pagination.offset

 

-

null

 

pagination.sortOption.field

 

-

null

 

pagination.sortOption.reversed

 

-

null

 

pagination.sortOption.aggregateBy.aggrFunc

 

-

UNSET

 

pagination.sortOption.aggregateBy.distinct

 

-

null

 

54.1.3. Return Type
Copy link

V1CountSecretsResponse

54.1.4. Content Type
Copy link

  • application/json

54.1.5. Responses
Copy link

Expand
Table 54.1. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

V1CountSecretsResponse

0

An unexpected error response.

RuntimeError

54.1.6. Samples
Copy link

54.1.7. Common object reference
Copy link

54.1.7.1. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

54.1.7.1.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

54.1.7.2. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

54.1.7.3. V1CountSecretsResponse
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

count

  

Integer

 

int32

54.2. ListSecrets
Copy link

GET /v1/secrets

ListSecrets returns the list of secrets.

54.2.1. Description
Copy link

54.2.2. Parameters
Copy link

54.2.2.1. Query Parameters
Copy link

Expand
NameDescriptionRequiredDefaultPattern

query

 

-

null

 

pagination.limit

 

-

null

 

pagination.offset

 

-

null

 

pagination.sortOption.field

 

-

null

 

pagination.sortOption.reversed

 

-

null

 

pagination.sortOption.aggregateBy.aggrFunc

 

-

UNSET

 

pagination.sortOption.aggregateBy.distinct

 

-

null

 

54.2.3. Return Type
Copy link

V1ListSecretsResponse

54.2.4. Content Type
Copy link

  • application/json

54.2.5. Responses
Copy link

Expand
Table 54.2. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

V1ListSecretsResponse

0

An unexpected error response.

RuntimeError

54.2.6. Samples
Copy link

54.2.7. Common object reference
Copy link

54.2.7.1. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

54.2.7.1.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

54.2.7.2. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

54.2.7.3. StorageListSecret
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

name

  

String

  

clusterId

  

String

  

clusterName

  

String

  

namespace

  

String

  

types

  

List of StorageSecretType

  

createdAt

  

Date

 

date-time

54.2.7.4. StorageSecretType
Copy link

Expand
Enum Values

UNDETERMINED

PUBLIC_CERTIFICATE

CERTIFICATE_REQUEST

PRIVACY_ENHANCED_MESSAGE

OPENSSH_PRIVATE_KEY

PGP_PRIVATE_KEY

EC_PRIVATE_KEY

RSA_PRIVATE_KEY

DSA_PRIVATE_KEY

CERT_PRIVATE_KEY

ENCRYPTED_PRIVATE_KEY

IMAGE_PULL_SECRET

54.2.7.5. V1ListSecretsResponse
Copy link

A list of secrets with their relationships. Next Tag: 2
Expand
Field NameRequiredNullableTypeDescriptionFormat

secrets

  

List of StorageListSecret

  

54.3. GetSecret
Copy link

GET /v1/secrets/{id}

GetSecret returns a secret given its ID.

54.3.1. Description
Copy link

54.3.2. Parameters
Copy link

54.3.2.1. Path Parameters
Copy link

Expand
NameDescriptionRequiredDefaultPattern

id

 

X

null

 

54.3.3. Return Type
Copy link

StorageSecret

54.3.4. Content Type
Copy link

  • application/json

54.3.5. Responses
Copy link

Expand
Table 54.3. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

StorageSecret

0

An unexpected error response.

RuntimeError

54.3.6. Samples
Copy link

54.3.7. Common object reference
Copy link

54.3.7.1. ImagePullSecretRegistry
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

name

  

String

  

username

  

String

  

54.3.7.2. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

54.3.7.2.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

54.3.7.3. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

54.3.7.4. StorageCert
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

subject

  

StorageCertName

  

issuer

  

StorageCertName

  

sans

  

List of string

  

startDate

  

Date

 

date-time

endDate

  

Date

 

date-time

algorithm

  

String

  

54.3.7.5. StorageCertName
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

commonName

  

String

  

country

  

String

  

organization

  

String

  

organizationUnit

  

String

  

locality

  

String

  

province

  

String

  

streetAddress

  

String

  

postalCode

  

String

  

names

  

List of string

  

54.3.7.6. StorageImagePullSecret
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

registries

  

List of ImagePullSecretRegistry

  

54.3.7.7. StorageSecret
Copy link

Flat secret object. Any properties of an individual secret. (regardless of time, scope, or context) ////////////////////////////////////////
Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

name

  

String

  

clusterId

  

String

  

clusterName

  

String

  

namespace

  

String

  

type

  

String

  

labels

  

Map of string

  

annotations

  

Map of string

  

createdAt

  

Date

 

date-time

files

  

List of StorageSecretDataFile

Metadata about the secrets. The secret need not be a file, but rather may be an arbitrary value.

 

relationship

  

StorageSecretRelationship

  

54.3.7.8. StorageSecretContainerRelationship
Copy link

Secrets can be mounted in a path in a container. Next Tag: 3
Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

Id of the container the secret is mounted in.

 

path

  

String

Path is a container specific mounting directory.

 

54.3.7.9. StorageSecretDataFile
Copy link

Metadata about secret. Additional information is presented for a certificate file and imagePullSecret, but the "file" may also represent some arbitrary value.

Expand
Field NameRequiredNullableTypeDescriptionFormat

name

  

String

  

type

  

StorageSecretType

 

UNDETERMINED, PUBLIC_CERTIFICATE, CERTIFICATE_REQUEST, PRIVACY_ENHANCED_MESSAGE, OPENSSH_PRIVATE_KEY, PGP_PRIVATE_KEY, EC_PRIVATE_KEY, RSA_PRIVATE_KEY, DSA_PRIVATE_KEY, CERT_PRIVATE_KEY, ENCRYPTED_PRIVATE_KEY, IMAGE_PULL_SECRET,

cert

  

StorageCert

  

imagePullSecret

  

StorageImagePullSecret

  

54.3.7.10. StorageSecretDeploymentRelationship
Copy link

Secrets can be used by a deployment. Next Tag: 3
Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

Id of the deployment using the secret within a container.

 

name

  

String

Name of the deployment.

 

54.3.7.11. StorageSecretRelationship
Copy link

The combined relationships that belong to the secret. Next Tag: 6
Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

containerRelationships

  

List of StorageSecretContainerRelationship

  

deploymentRelationships

  

List of StorageSecretDeploymentRelationship

Deployment id to relationship.

 

54.3.7.12. StorageSecretType
Copy link

Expand
Enum Values

UNDETERMINED

PUBLIC_CERTIFICATE

CERTIFICATE_REQUEST

PRIVACY_ENHANCED_MESSAGE

OPENSSH_PRIVATE_KEY

PGP_PRIVATE_KEY

EC_PRIVATE_KEY

RSA_PRIVATE_KEY

DSA_PRIVATE_KEY

CERT_PRIVATE_KEY

ENCRYPTED_PRIVATE_KEY

IMAGE_PULL_SECRET

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top