Secrets in MeshAgent Services

MeshAgent services can leverage two types of secrets to manage sensitive configuration and access credentials securely:
  1. Secret Keys
  2. Image Pull Secrets
Both are defined at the service level and kept isolated within each service’s runtime container.

1. Secret Keys

What They Are

A Secret Key is a named collection of key/value pairs. Each key in the collection becomes an environment variable inside the service container, making it easy to inject API tokens, database URIs, or other sensitive values into your code.

How They Work

  • When you attach a Secret Key to a service, MeshAgent mounts each entry as an environment variable.
  • Your service code can read these variables at startup (e.g. process.env.MY_API_TOKEN).
  • Individual secrets are never exposed outside the container, and each service only sees its own assigned keys.

Configuration (MeshAgent Studio)

  1. Define a Secret Key
    • Navigate to the Secrets section of MeshAgent Studio.
    • Create a new secret key collection, giving it a descriptive name (e.g. weather-api-credentials).
    • Add entries (e.g. API_KEY, API_SECRET) with their corresponding values.
  2. Attach to a Service
    • In the Services tab, select your target service.
    • Under Environment & Secrets, choose the secret key collection to bind.
    • Save; on the next session launch, the values will be available as environment variables.

2. Image Pull Secrets

What They Are

An Image Pull Secret stores credentials required to authenticate against a private container registry (e.g. Docker Hub private repos, Azure Container Registry, AWS ECR).

How They Work

  • MeshAgent uses the pull secret when fetching your service’s container image.
  • Credentials are never exposed inside the running container; they’re only used by the orchestration layer.

Configuration (MeshAgent Studio)

  1. Create an Image Pull Secret
    • Go to the Secrets section and select Image Pull Secrets.
    • Enter registry URL, username, and password (or token).
    • Name the pull secret (e.g. acme-priv-registry).
  2. Attach to a Service
    • In the Services tab, edit the service that uses a private image.
    • Under Image, specify your private image reference.
    • Under Image Pull Secret, select the secret you created.
    • Save; MeshAgent will authenticate using these credentials whenever it starts the service.
By defining Secret Keys and Image Pull Secrets in MeshAgent, you can keep sensitive data secure, scoped, and easily managed—ensuring your service containers have just the right credentials they need to run.