Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Containers group related secrets into a named bundle. The most common use case is bundling a TLS certificate with its private key for use with the Load Balancer service. Containers reference secrets by UUID — they do not copy secret payloads. Like secrets, containers are project-scoped — they are visible only to users within the project that created them unless shared via ACL.
Prerequisites
  • An active Xloud account with appropriate permissions
  • Access to the Xloud Dashboard or CLI configured with credentials
  • API credentials sourced (source openrc.sh)
Project Scope — Containers belong to the project that created them. The Load Balancer service accesses containers through the project’s service credentials. If you create a container in Project A and configure a listener in Project B, the listener cannot access the container unless an ACL is set.

Container Types

Container TypeContentsPrimary Use Case
certificateCertificate + private key + intermediates + passphraseTLS termination for Load Balancer HTTPS listeners
rsaPublic key + private key + passphraseRSA key pair management
genericAny combination of secretsAPI credential bundles, configuration groups

Create a Certificate Container

The Dashboard provides a dedicated Create Certificate workflow that creates both the secrets and the container in a single step. This is the recommended approach for TLS certificate management.
1

Navigate to Certificate Manager

Navigate to Network > Certificates in the sidebar.Click Create Certificate in the upper-right corner.
2

Enter the certificate name

Enter a Certificate Name for the container. This name identifies the certificate bundle in the Load Balancer listener configuration.
The name must contain only letters, numbers, and hyphens. Special characters and spaces are not permitted.
3

Select the certificate type

Choose the Certificate Type:
TypeDescriptionRequired Fields
ServerA server certificate with its private key for TLS terminationCertificate Content, Private Key
CAA Certificate Authority certificate for client certificate validationCertificate Content only
Use Server for HTTPS listener termination — this is the most common use case. Use CA when you need to validate client certificates in mutual TLS (mTLS) configurations.
4

Provide the certificate content

Paste the certificate content into the Certificate Content text area, or click the upload button to load it from a .crt or .pem file.The certificate must be in PEM format:
Expected format
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhki...
-----END CERTIFICATE-----
The form validates that the content starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. Certificates in other formats (DER, PKCS#7) must be converted to PEM first.
5

Provide the private key (Server type only)

For Server type certificates, paste the private key into the Private Key text area, or upload a .key or .pem file.The key must be in PEM format:
Expected format
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA2a2rwplBQLYV0...
-----END RSA PRIVATE KEY-----
This field is hidden for CA type certificates. The private key must be in RSA format — ECDSA and Ed25519 keys must be converted first.
6

Add domain names (optional, Server type only)

For SNI (Server Name Indication) certificates, enter the Domain Name(s) that this certificate covers.
RuleLimit
Multiple domainsSeparated by commas
Maximum domains30 per certificate
Single domain length100 characters max
Total length1024 characters max
Valid charactersLetters, numbers, hyphens, dots
Domain names are used for SNI-based certificate selection in the Load Balancer. If your listener serves multiple domains, specify all of them here so the correct certificate is presented for each domain.
7

Set an expiration date (optional)

Use the Expires At date picker to set an optional expiration date. Only future dates are selectable.
This is the container-level expiration, independent of the certificate’s own validity period. Set it to match your certificate’s actual expiry date for consistency.
8

Create the certificate

Click Confirm to create the certificate container. The system stores the certificate and private key as separate secrets and bundles them into a container automatically.
The certificate container appears in the Certificates list and is ready to reference in Load Balancer HTTPS listener configuration.

View Container Details

1

Navigate to containers

Go to Project > Key Manager > Containers. The list shows all containers in your current project.
ColumnDescription
NameContainer identifier (clickable to view details)
TypeContainer type: certificate, rsa, or generic
StatusActive or Error
SecretsNumber of secret references in the container
CreatedCreation timestamp
2

View detail page

Click a container name to view its detail page. The detail page shows:
FieldDescription
TypeContainer type
StatusCurrent status
Secret ReferencesList of name and secret reference pairs
CreatedCreation timestamp
UpdatedLast modification timestamp

Delete a Container

1

Select containers to delete

Navigate to Project > Key Manager > Containers. Select one or more containers using the checkboxes, then click Delete in the batch actions bar.Alternatively, click the More menu on a single container row and select Delete Container.
2

Confirm deletion

Confirm the deletion in the dialog.
Deleting a container through the Dashboard also deletes all associated secrets within it. Verify that no services reference these secrets before proceeding.

Project Scope and Access

Containers follow the same project-scoping rules as secrets:
BehaviorDescription
OwnershipContainers belong to the project that created them
VisibilityOnly visible to users within the same project
Service accessThe Load Balancer accesses containers through the project’s service credentials
Cross-project sharingRequires an ACL on the container
Contained secretsSecrets within the container must also be accessible to the consuming service
When sharing a container via ACL, you must also set ACLs on each secret referenced by the container. Granting access to the container alone does not grant access to the secret payloads within it.

Next Steps

Certificates

Manage the full certificate lifecycle from storage to renewal

Access Control (ACL)

Share containers and secrets across projects

Store Secrets

Create individual secrets to populate containers

Load Balancer

Use certificate containers for HTTPS listener configuration