This document describes the fields in a Secrets configuration file. You use a
Secrets configuration file when you create
prepared Secrets.
A Secrets configuration file holds a set of Secret groups. Each group has
the name of a Kubernetes namespace and credentials for one or more of
the following:
You provide a Secrets configuration file as input to the gkectl create secrets
command. For each Secret group, the command creates Kubernetes Secrets: one
Secret for each of the credentials in the group. The command creates the Secrets
in an admin cluster in the specified Kubernetes namespace.
To get started, create a template for your Secrets configuration file:
gkectl create-config secrets
Template
Click to see the generated template.
apiVersion:v1kind:ClusterSecrets# List of secret groupssecretGroups:# (Required) A unique name for secret namespace; it needs to have prefix 'gke-onprem-secrets-'# (example: gke-onprem-secrets-test)-namespace:""# Secrets in this namespacesecrets:# The credentials for vCentervCenter:username:""password:""# The credentials for f5BigIPf5BigIP:username:""password:""# The Google Cloud service account key used to pull GKE imagescomponentAccessServiceAccount:serviceAccountKeyPath:""# The Google Cloud service account key used to register the clusterregisterServiceAccount:serviceAccountKeyPath:""# The Google Cloud service account key used to send logs and metrics from the clusterstackdriverServiceAccount:serviceAccountKeyPath:""# The Google Cloud service account key used to send audit logs from the clustercloudAuditLoggingServiceAccount:serviceAccountKeyPath:""# The Google Cloud service account key used by gke-usage-metering to report to BigQueryusageMeteringServiceAccount:serviceAccountKeyPath:""# (Optional) The credentials for private registryprivateRegistry:username:""password:""
Filling in the fields in a Secrets configuration file
secretGroups
An array of objects. Each object has the name of a Kubernetes namespace and a
set of credentials.
secretGroups[i].namespace
A name of your choice for a Kubernetes namespace that will hold a set of
Secrets. The name must begin with gke-onprem-secrets-.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eA Secrets configuration file is used to manage credentials for various services when creating prepared Secrets, which are Kubernetes resources that store sensitive information.\u003c/p\u003e\n"],["\u003cp\u003eEach Secrets file contains one or more Secret groups, each associated with a specific Kubernetes namespace and holding credentials for services like vCenter, F5 BIG-IP, and various service accounts.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003egkectl create secrets\u003c/code\u003e command utilizes the Secrets file to generate corresponding Kubernetes Secrets within an admin cluster in the specified namespace, one for each credential.\u003c/p\u003e\n"],["\u003cp\u003eThe namespace name for each secret group must begin with \u003ccode\u003egke-onprem-secrets-\u003c/code\u003e, and secrets can include credentials like usernames, passwords, or paths to service account key files.\u003c/p\u003e\n"],["\u003cp\u003eA template for a Secrets configuration file can be generated using the command \u003ccode\u003egkectl create-config secrets\u003c/code\u003e, which provides a structured layout for defining secret groups and their credentials.\u003c/p\u003e\n"]]],[],null,["# Secrets configuration file\n\n\u003cbr /\u003e\n\nThis document describes the fields in a Secrets configuration file. You use a\nSecrets configuration file when you create\n[prepared Secrets](/anthos/clusters/docs/on-prem/1.15/how-to/prepared-credentials).\n\nA Secrets configuration file holds a set of Secret groups. Each group has\nthe name of a Kubernetes namespace and credentials for one or more of\nthe following:\n\n- vCenter Server\n- F5 BIG-IP\n- A [component access service account](/anthos/clusters/docs/on-prem/1.15/how-to/service-accounts#component_access_service_account)\n- A [connect-register service account](/anthos/clusters/docs/on-prem/1.15/how-to/service-accounts#connect_register_service_account)\n- A [logging-monitoring service account](/anthos/clusters/docs/on-prem/1.15/how-to/service-accounts#logging_monitoring_service_account)\n- An [audit logging service account](/anthos/clusters/docs/on-prem/1.15/how-to/service-accounts#audit_logging_service_account)\n- A [usage metering service account](/anthos/clusters/docs/on-prem/1.15/how-to/service-accounts#usage_metering_service_account)\n- Private registry\n\nYou provide a Secrets configuration file as input to the `gkectl create secrets`\ncommand. For each Secret group, the command creates Kubernetes Secrets: one\nSecret for each of the credentials in the group. The command creates the Secrets\nin an admin cluster in the specified Kubernetes namespace.\n\nTo get started, create a template for your Secrets configuration file:\n\n```\ngkectl create-config secrets\n```\n\n**Template**\nClick to see the generated template. \n\n```yaml\napiVersion: v1\nkind: ClusterSecrets\n# List of secret groups\nsecretGroups:\n# (Required) A unique name for secret namespace; it needs to have prefix 'gke-onprem-secrets-'\n# (example: gke-onprem-secrets-test)\n- namespace: \"\"\n # Secrets in this namespace\n secrets:\n # The credentials for vCenter\n vCenter:\n username: \"\"\n password: \"\"\n # The credentials for f5BigIP\n f5BigIP:\n username: \"\"\n password: \"\"\n # The Google Cloud service account key used to pull GKE images\n componentAccessServiceAccount:\n serviceAccountKeyPath: \"\"\n # The Google Cloud service account key used to register the cluster\n registerServiceAccount:\n serviceAccountKeyPath: \"\"\n # The Google Cloud service account key used to send logs and metrics from the cluster\n stackdriverServiceAccount:\n serviceAccountKeyPath: \"\"\n # The Google Cloud service account key used to send audit logs from the cluster\n cloudAuditLoggingServiceAccount:\n serviceAccountKeyPath: \"\"\n # The Google Cloud service account key used by gke-usage-metering to report to BigQuery\n usageMeteringServiceAccount:\n serviceAccountKeyPath: \"\"\n # (Optional) The credentials for private registry\n privateRegistry:\n username: \"\"\n password: \"\"\n \n```\n\nFilling in the fields in a Secrets configuration file\n-----------------------------------------------------\n\n`secretGroups`\n--------------\n\nAn array of objects. Each object has the name of a Kubernetes namespace and a\nset of credentials.\n\n### `secretGroups[i].namespace`\n\nA name of your choice for a Kubernetes namespace that will hold a set of\nSecrets. The name must begin with `gke-onprem-secrets-`.\n\nExample:\n\n```\nsecretGroups:\n- namespace: \"gke-onprem-secrets-bob\"\n secrets:\n ...\n- namespace: \"gke-onprem-secrets-alice\"\n secrets:\n ...\n```\n\n### `secretGroups[i].secrets.vCenter`\n\nThe username and password of a vCenter account.\n\nExample:\n\n```\nsecretGroups:\n- namespace: \"gke-onprem-secrets-bob\"\n secrets:\n vCenter:\n username: \"vc-bob\"\n password: \"U$icUKEW#INE\"\n```\n\n### `secretGroups[i].secrets.f5BigIP`\n\nThe username and password of an F5 BIG-IP account.\n\nExample:\n\n```\nsecretGroups:\n- namespace: \"gke-onprem-secrets-bob\"\n secrets:\n f5BigIP:\n username: \"f5-bob\"\n password: \"exvQVx^@L%F1\"\n```\n\n### `secretGroups[i].secrets.componentAccessServiceAccount.serviceAccountKeyPath`\n\nThe path of a JSON key file for a\n[component access service account](/anthos/clusters/docs/on-prem/1.15/how-to/service-accounts#component_access_service_account).\n\n```\nsecretGroups:\n- namespace: \"gke-onprem-secrets-bob\"\n secrets:\n componentAccessServiceAccount:\n serviceAccountKeyPath: \"my-folder/component-access-key.json\"\n```\n\n### `secretGroups[i].secrets.registerServiceAccount.serviceAccountKeyPath`\n\nThe path of a JSON key file for a\n[connect-register service account](/anthos/clusters/docs/on-prem/1.15/how-to/service-accounts#connect_register_service_account).\n\n```\nsecretGroups:\n- namespace: \"gke-onprem-secrets-bob\"\n secrets:\n registerServiceAccount:\n serviceAccountKeyPath: \"my-folder/connect-register-key.json\"\n```\n\n### `secretGroups[i].secrets.stackdriverServiceAccount.serviceAccountKeyPath`\n\nThe path of a JSON key file for a\n[logging-monitoring service account](/anthos/clusters/docs/on-prem/1.15/how-to/service-accounts#logging_monitoring_service_account).\n\nExample:\n\n```\nsecretGroups:\n- namespace: \"gke-onprem-secrets-bob\"\n secrets:\n stackdriverServiceAccount:\n serviceAccountKeyPath: \"my-folder/log-mon-key.json\"\n```\n\n### `secretGroups[i].secrets.cloudAuditLoggingServiceAccount.serviceAccountKeyPath`\n\nThe path of a JSON key file for an\n[audit logging service account](/anthos/clusters/docs/on-prem/1.15/how-to/service-accounts#audit_logging_service_account).\n\n```\nsecretGroups:\n- namespace: \"gke-onprem-secrets-bob\"\n secrets:\n cloudAuditLoggingServiceAccount:\n serviceAccountKeyPath: \"my-folder/audit-log-key.json\"\n```\n\n### `secretGroups[i].secrets.usageMeteringServiceAccount.serviceAccountKeyPath`\n\nThe path of a JSON key file for a\n[usage metering service account](/anthos/clusters/docs/on-prem/1.15/how-to/service-accounts#usage_metering_service_account).\n\n```\nsecretGroups:\n- namespace: \"gke-onprem-secrets-bob\"\n secrets:\n usageMeteringServiceAccount:\n serviceAccountKeyPath: \"my-folder/usage-metering-key.json\"\n```\n\n### `secretGroups[i].secrets.privateRegistry`\n\nThe username and password of the **private** registry if using the private\nregistry.\n\nExample:\n\n```\nsecretGroups:\n- namespace: \"gke-onprem-secrets-bob\"\n secrets:\n privateRegistry:\n username: \"registry-user-bob\"\n password: \"f[vuV3^@L*4g\"\n```"]]
