Title: Secrets Management — UCS Tools Documentation URL Source: https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html Published Time: Thu, 30 Oct 2025 07:23:04 GMT Markdown Content: Secrets Management[#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#secrets-management "Link to this heading") ------------------------------------------------------------------------------------------------------------------------- UCS implements secrets using files. Microservices read secrets from files. They do not need to know how the files were created or mounted in the container. This creates a layer of abstraction. The dependency on any particular type of secrets management can be removed from the microservice. UCS Applications integrate the secrets management system. They correctly mount the secret as a file at the location expected by the microservices. Specifying secret requirements in Microservice[#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#specifying-secret-requirements-in-microservice "Link to this heading") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- You can describe secret requirements for the microservice under the `secrets` field of the microservice builder input `manifest.yaml` file as specified at - [Secrets](https://docs.nvidia.com/ucf/2.10.0/text/UCS_MsBuilder_Input.html#ucf-msb-input-manifest-secrets). The secrets get mounted at `/` as specified in the manifest. Any applications running inside the microservice that need the secret must read it from this path. You can use placeholder `$secrets..path` in place of the mount path in `manifest.yaml` or the files inside `configs` directory. All instances of the placeholders get replaced by the actual mount path `/` during the microservice helm chart build. Viewing secrets requirements of a microservice[#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#viewing-secrets-requirements-of-a-microservice "Link to this heading") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Using CLI Tools[#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#using-cli-tools "Link to this heading") You can view the secrets requirement of any microservice using either of the CLI Tools - [UCS Microservice Builder CLI](https://docs.nvidia.com/ucf/2.10.0/text/tools_reference/UCS_Tools_Reference_MsBuilder.html#ucf-ms-builder-cli) or [UCS Application Builder CLI](https://docs.nvidia.com/ucf/2.10.0/text/tools_reference/UCS_Tools_Reference_AppBuilder.html#ucf-app-builder-cli) using the `service info` command. For example: $ ucf_ms_builder_cli service info -n ucf.svc.myservice ... secrets: - name: some-secret-name description: Description for the secret mandatory: true mountPath: /secrets fileName: someSecretFileName ... This microservice expects a secret `some-secret-name` to be mounted at `/secrets/someSecretFileName`. ### Using UCS Studio[#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#using-ucs-studio "Link to this heading") You can view secrets requirements of a microservice in the UCS Studio by creating a new graph, adding the required microservice in the graph canvas, selecting it by clicking on it and then going through the **Secrets** section in the **Property** window on the right. ![Image 1: UCS Studio - Viewing Secrets Requirements](https://docs.nvidia.com/ucf/2.10.0/_images/ucf_studio_secrets.jpg) Fulfill the secrets in an UCS Application[#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#fulfill-the-secrets-in-an-ucs-application "Link to this heading") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Using UCS Studio[#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#id1 "Link to this heading") First open the Graph Configuration by right-clicking on the graph window to open the context menu and selecting **Configurator**. > ![Image 2: UCS Studio - Open Graph Configurator](https://docs.nvidia.com/ucf/2.10.0/_images/ucf_refapps_open_configuration.png) Next select the **Secrets** window, click on **Add** to add a new secret. Enter details as required including the source of the secret **Kubernetes Secret**, **Vault**, **Secrets Store CSI Driver**, **Certificate** and source specific details: > ![Image 3: UCS Studio - Add Secret](https://docs.nvidia.com/ucf/2.10.0/_images/ucf_refapps_add_secret.png) Now select a microservice on the canvas, this will show the **Secrets** section in the **Property** window on the right. For each secret requirement, select a secret to set for it from the dropdown. > ![Image 4: UCS Studio - Set Secret](https://docs.nvidia.com/ucf/2.10.0/_images/ucf_refapps_set_secret.png) ### Using Textual Representation and CLI Tools[#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#using-textual-representation-and-cli-tools "Link to this heading") You must specify all mandatory secrets for each microservice. Secrets that need to be used in an application (and thus set on a microservice) must be added to `secrets` section of the application along with the source details for the secrets. UCS Tools support Kubernetes `Secret`, `Vault`, `Certificate` or the `Secrets Store CSI Driver` as the source of the secret. You must specify the secrets in the UCS application YAML as follows: secrets: : : : : Based on the source of the secret, you must specify additional details. You can set these secrets on microservices that need them under the `secrets` field of the `components` in the application graph file. The format is: components: - name: type: secrets: : : - name: type: secrets: : Supported Secret Management Types[#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#supported-secret-management-types "Link to this heading") ------------------------------------------------------------------------------------------------------------------------------------------------------- UCS Tools support Kubernetes `Secret`, `Vault`, `Certificate` or the `Secrets Store CSI Driver` as the source of the secret. ### Using Kubernetes `Secret`[#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#using-kubernetes-secret "Link to this heading") You can add a Kubernetes `Secret` to the application using the following format: secrets: : k8sSecret: secretName: key: An example application graph file using Kubernetes `Secret` as source of the secret: specVersion: 2.5.0 version: 0.0.1 name: myservice-test ... dependencies: - ucf.svc.myservice:0.0.1 components: - name: myservice type: ucf.svc.myservice parameters: timeToSleep: 1200000 secrets: some-secret-name: db-username ... connections: ... secrets: db-username: k8sSecret: secretName: db-creds-k8s-secret key: username You can achieve the same in **UCS Studio** by selecting `K8S Secret` from **Type** drop down and setting valid values for **Secret Name** and **Key**. ![Image 5: UCS Studio - Secrets - Kubernetes Secret](https://docs.nvidia.com/ucf/2.10.0/_images/ucf_studio_app_secret_k8s.png) For Kubernetes `Secret` as the source of secret, the application deployer must ensure a Kubernetes secret with name `` containing key `` has already been deployed. For example, in this case you can do it using: $ kubectl create secret generic db-creds-k8s-secret --from-literal=username=admin When building the application, [UCS Application Builder CLI](https://docs.nvidia.com/ucf/2.10.0/text/tools_reference/UCS_Tools_Reference_AppBuilder.html#ucf-app-builder-cli) tools add the appropriate parameters to mount the key `username` of secret `db-creds-k8s-secret` at the expected location of `/secrets/someSecretFileName` in the microservice container. ### Using `Vault` secrets[#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#using-vault-secrets "Link to this heading") [UCS Application Builder CLI](https://docs.nvidia.com/ucf/2.10.0/text/tools_reference/UCS_Tools_Reference_AppBuilder.html#ucf-app-builder-cli) tool supports integration with **Hashicorp Vault** for secrets management. The application developer must know how to manage Vault server, add secrets to it and use the `JWT` method of authenticating the Kubernetes cluster with vault. For documentation on **Vault** refer to - [https://developer.hashicorp.com/vault](https://developer.hashicorp.com/vault). For `Vault` as the source of secret, you must add `vaultAgent` parameter to the application which specifies connection and authentication details for the Vault server. The specification for the vaultAgent is: vaultAgent: auth: path: "" type: "jwt" jwt: audience: "" role: "" role: "" namespace: "" service: "" You can add a `Vault` based secret to the application using the following format: secrets: : vaultAgent: path: "" template: # Following type is used for KV secrets engine of Vault type: kv key: "" : vaultAgent: path: "" template: # Following type is used for X.509 PKI certificate engine of Vault type: pki/certificate # OR "pki/private_key" OR "pki/issuing_ca" # common_name: # Common name to use when requesting certificate from Vault ttl: # TTL for the certificates e.g. 720h : vaultAgent: path: "" # Following can be used for custom templates using the Consul template language. template: | {{- with secret "" }} {{- .Data.data.username }}:{{ .Data.data.password }} {{- end }} An example of using this is: specVersion: 2.5.0 version: 0.0.1 name: myservice-test ... dependencies: - ucf.svc.myservice:0.0.1 components: - name: myservice type: ucf.svc.myservice parameters: timeToSleep: 1200000 secrets: some-secret-name: db-username ... connections: ... vaultAgent: auth: path: auth/jwt/my-cluster type: "jwt" jwt: audience: custom-audience role: my-auth-role role: my-auth-role namespace: my-namespace service: https://vault.example.com secrets: db-username: vaultAgent: path: my-app-kv/db-creds template: type: kv key: username You can also achieve this in **UCS Studio** by first filling in the **Vault Agent** section in the **Graph Configurator**. ![Image 6: UCS Studio - Secrets - Vault Agent](https://docs.nvidia.com/ucf/2.10.0/_images/ucf_studio_app_secret_vault_config.png) And then selecting `Vault` from **Type** drop down for the secret and setting valid **Path** of the secret in the Vault Server. Based on the type of the secret, select `kv` / `pki/certificate` / `pki/private_key` / `pki/issuing_ca` from the **template type** dropdown and specify additional information like **key**, **common_name**, **ttl**. To specify the raw template string for rendering the template, select `string` from the **template type** dropdown. ![Image 7: UCS Studio - Secrets - Vault Agent](https://docs.nvidia.com/ucf/2.10.0/_images/ucf_studio_app_secret_vault.png) In this example, the application developer is responsible for ensuring that: * Vault Server is hosted at `https://vault.example.com` * Namespace `my-namespace` of the Vault Server is being used * **JWT** authentication method of vault is enabled at path `auth/jwt/my-cluster` * `bound_audience` when configuring the authentication method is set to `custom-audience` * The authentication method has been configured with a `bound_subject` that allows `some-service-account` access * The authentication method has been configured with a `my-auth-role` authentication role * A KV2 secrets engine has been created and configured at `my-app-kv` * A KV2 secret has been created at mount path `my-app-kv/db-creds` * The KV2 secret contains a key `username` * A policy has configured that allows `my-auth-role` role access to `my-app-kv/db-creds` * **Vault Agent Injector Service** is already running on the cluster When building the application, [UCS Application Builder CLI](https://docs.nvidia.com/ucf/2.10.0/text/tools_reference/UCS_Tools_Reference_AppBuilder.html#ucf-app-builder-cli) tools add the appropriate parameters to mount value for the key `username` of secret at path `my-app-kv/db-creds` in Vault server at the expected location of `/secrets/someSecretFileName` in the microservice container. ### Using `Secrets Store CSI Driver`[#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#using-secrets-store-csi-driver "Link to this heading") [UCS Application Builder CLI](https://docs.nvidia.com/ucf/2.10.0/text/tools_reference/UCS_Tools_Reference_AppBuilder.html#ucf-app-builder-cli) tool supports integration with **Secrets Store CSI Driver** for secrets management. The application developer must know how to install the **Secrets Store CSI Driver** and the `SecretProviderClass` that mentions the objects to be used as secrets. For documentation refer to - [https://secrets-store-csi-driver.sigs.k8s.io/getting-started/getting-started.html](https://secrets-store-csi-driver.sigs.k8s.io/getting-started/getting-started.html). You can add a **Secrets Store CSI Driver** based `Secret` to the application using the following format: secrets: : secretsStoreCsi: providerClassName: objectName: An example application graph file using **Secrets Store CSI Driver** as source of the secret: specVersion: 2.5.0 version: 0.0.1 name: myservice-test ... dependencies: - ucf.svc.myservice:0.0.1 components: - name: myservice type: ucf.svc.myservice parameters: timeToSleep: 1200000 secrets: some-secret-name: db-username ... connections: ... secrets: db-username: secretsStoreCsi: providerClassName: azure-secrets-sync objectName: db-username You can achieve the same in **UCS Studio** by selecting `Secrets Store CSI` from **Type** drop down and setting valid values for **Secret Provider Class Name** and **Object Name**. ![Image 8: UCS Studio - Secrets - Secrets Store CSI Driver](https://docs.nvidia.com/ucf/2.10.0/_images/ucf_studio_app_secret_csi.png) For a **Secrets Store CSI Driver** based `Secret` as the source of secret, the application deployer must ensure a `SecretProviderClass` resource with name `` containing object with name `` has already been deployed. When building the application, [UCS Application Builder CLI](https://docs.nvidia.com/ucf/2.10.0/text/tools_reference/UCS_Tools_Reference_AppBuilder.html#ucf-app-builder-cli) tools add the appropriate parameters to mount the object named `db-username` of in `SecretProviderClass` resource named `azure-secrets-sync` at the expected location of `/secrets/someSecretFileName` in the microservice container. ### Using **cert-manager**`Certificate`[#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#using-cert-manager-certificate "Link to this heading") [UCS Application Builder CLI](https://docs.nvidia.com/ucf/2.10.0/text/tools_reference/UCS_Tools_Reference_AppBuilder.html#ucf-app-builder-cli) tool supports integration with **cert-manager** for certificate management. The application developer must know how to install the **cert-manager** and the `Certificate` and `Issuer/ClusterIssuer` custom resources that are used to provision certificates and create the corresponding Kubernetes Secret. For documentation, refer to - [https://cert-manager.io/docs/](https://cert-manager.io/docs/) For **cert-manager**`Certificate` as the source of secret, you must add `certificates` parameter to the application which specifies certificates that will be required by the application and some additional details. The specification for the certificates is: certificates: : file: addToHelmChart: : file: addToHelmChart: The certificates file path may be absolute or relative to the application YAML file. The file must contain the **cert-manager**`Certificate/Issuer/ClusterIssuer` custom resources. An example of this this file is: --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: self-signed-issuer spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: self-signed-certificate spec: dnsNames: - cluster.local - test.cluster.local secretName: selfsigned-cert-tls issuerRef: name: self-signed-issuer You can add a **Certificate** based `Secret` to the application using the following format: secrets: : certificate: certName: type: # Whether to mount the certificate file or the private key file or the issuing CA file : certificate: # Use this if you do not wish to provide a certificates file and # instead provide the secret name that will contain the certificate files isExternal: true secretName: type: An example application graph file using **cert-manager**`Certificate` as source of the secret: specVersion: 2.5.0 version: 0.0.1 name: myservice-test ... dependencies: - ucf.svc.myservice:0.0.1 components: - name: myservice type: ucf.svc.myservice parameters: timeToSleep: 1200000 secrets: tls-cert: app-tls-cert tls-key: app-tls-key tls-ca: app-tls-ca ... connections: ... certificates: devCerts: file: certificates.yaml addToHelmChart: true secrets: app-tls-cert: certificate: certName: self-signed-certificate type: certificate app-tls-key: certificate: certName: self-signed-certificate type: privateKey app-tls-ca: certificate: certName: self-signed-certificate type: issuingCA You can achieve the same in **UCS Studio** by loading a file containing the `Certificate` resources from the **Certificates Files** tab. ![Image 9: UCS Studio - Secrets - Certificates Files](https://docs.nvidia.com/ucf/2.10.0/_images/ucf_studio_app_secret_cert_file.png) And then selecting `Certificate` from **Type** drop down and selecting an applicable **Certificate Name** and the file to mount `Certificate`, `Private Key` or the `Issuing CA`. If using an externally created `Certificate` resource, select **Is External** and then input the **Secret Name** for the secret resource created for the Certificate. ![Image 10: UCS Studio - Secrets - Certificates](https://docs.nvidia.com/ucf/2.10.0/_images/ucf_studio_app_secret_cert.png) For a **Certificate** based `Secret` as the source of secret, the application deployer must: * Ensure a `Certificate` resource with name `` is provided to the application via the `certificates` field. * If `addToHelmChart` is `false`, you must deploy the `Certificate` resource manually. * Alternatively, if using `secretName` with `isExternal`, the `Certificate` resource with secretName set to `` is already deployed When building the application, [UCS Application Builder CLI](https://docs.nvidia.com/ucf/2.10.0/text/tools_reference/UCS_Tools_Reference_AppBuilder.html#ucf-app-builder-cli) tools add the appropriate parameters to mount the TLS certificate/private key/issuing CA for Certificate resource named `self-signed-certificate` at the expected locations in the microservice container. Application Information - Secrets[#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#application-information-secrets "Link to this heading") ----------------------------------------------------------------------------------------------------------------------------------------------------- Building an application generates an application information file in the output directory. This file contains list of secrets added in the application and their details. For more information refer to [Application Info](https://docs.nvidia.com/ucf/2.10.0/text/UCS_AppDevelopment.html#app-info). Links/Buttons: - [#](https://docs.nvidia.com/ucf/2.10.0/text/UCS_secrets.html#application-information-secrets) - [Secrets](https://docs.nvidia.com/ucf/2.10.0/text/UCS_MsBuilder_Input.html#ucf-msb-input-manifest-secrets) - [UCS Microservice Builder CLI](https://docs.nvidia.com/ucf/2.10.0/text/tools_reference/UCS_Tools_Reference_MsBuilder.html#ucf-ms-builder-cli) - [UCS Application Builder CLI](https://docs.nvidia.com/ucf/2.10.0/text/tools_reference/UCS_Tools_Reference_AppBuilder.html#ucf-app-builder-cli) - [https://developer.hashicorp.com/vault](https://developer.hashicorp.com/vault) - [https://secrets-store-csi-driver.sigs.k8s.io/getting-started/getting-started.html](https://secrets-store-csi-driver.sigs.k8s.io/getting-started/getting-started.html) - [https://cert-manager.io/docs/](https://cert-manager.io/docs/) - [Application Info](https://docs.nvidia.com/ucf/2.10.0/text/UCS_AppDevelopment.html#app-info)