kubernetes-hands-on/10-secrets/README.md

# Secrets

Objects of type `Secret` are intended to hold sensitive information, such as passwords, OAuth tokens, and ssh keys. Putting this information in a secret is safer and more flexible than putting it verbatim in a pod definition or in a docker image.

```yml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4= # admin
  password: cGFzc3dvcmQ= # password
```

* `data`: is a list of key/values. The values must be in base64.

You can apply the file:

```sh
$ kubectl apply -f 10-secrets/01-secrets.yml
secret "mysecret" created
```

You can reference a secret from a pod, either per env variable or mounting a volume containing a secret.

## Reference the secret by mounting it as a volume

Here we mount the secret `mysecret` to the path `/etc/foo` inside the pod:

```yml
apiVersion: v1
kind: Pod
metadata:
  name: redis-with-volume-secrets
spec:
  containers:
  - name: redis
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret
```

You can look up the secrets in the pod by connecting to the pod:

```sh
$ kubectl exec -ti redis-with-volume-secrets /bin/bash
root@redis-with-volume-secrets:/data# cd /etc/foo/
root@redis-with-volume-secrets:/etc/foo# ls
password  username
```

## Reference the secret by using environment variables

Here we bind the value `username` from the secret `mysecret` to the env variable `SECRET_USERNAME`,
`password` from the secret `mysecret` to the env variable `SECRET_PASSWORD`:

```yml
apiVersion: v1
kind: Pod
metadata:
  name: redis-with-env-secrets
spec:
  containers:
  - name: redis
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password
```

You can look up the secrets in the pod by connecting to the pod:

```sh
$ kubectl exec -ti redis-with-env-secrets /bin/bash
root@redis-with-env-secrets:/data# echo $SECRET_USERNAME
admin
root@redis-with-env-secrets:/data# echo $SECRET_PASSWORD
1f2d1e2e67df
```

Careful, if you change a secret after starting the pods, it won't update the pods. So you need to restart them.

## Clean up

```sh
kubectl delete service,deployment,pod,secrets --all
```

## Links

* https://kubernetes.io/docs/concepts/configuration/secret/
feat: add section on secrets 2019-05-09 19:41:07 +06:00			`# Secrets`

			Objects of type `Secret` are intended to hold sensitive information, such as passwords, OAuth tokens, and ssh keys. Putting this information in a secret is safer and more flexible than putting it verbatim in a pod definition or in a docker image.

			```yml
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: mysecret`
			`type: Opaque`
			`data:`
			`username: YWRtaW4= # admin`
			`password: cGFzc3dvcmQ= # password`
			```

			* `data`: is a list of key/values. The values must be in base64.

			`You can apply the file:`

fix: use sh in md (#28) 2019-05-21 15:10:59 +06:00			```sh
chore: reorder the sections 2019-05-09 19:53:01 +06:00			`$ kubectl apply -f 10-secrets/01-secrets.yml`
feat: add section on secrets 2019-05-09 19:41:07 +06:00			`secret "mysecret" created`
			```

			`You can reference a secret from a pod, either per env variable or mounting a volume containing a secret.`

Add how to look up the secrets in both cases (#41) * Add how to look up the secrets in both cases * Update README.md * lint 2019-05-23 14:46:29 +06:00			`## Reference the secret by mounting it as a volume`

feat: add section on secrets 2019-05-09 19:41:07 +06:00			Here we mount the secret `mysecret` to the path `/etc/foo` inside the pod:

fix: use yml in markdown (#27) 2019-05-21 15:09:13 +06:00			```yml
feat: add section on secrets 2019-05-09 19:41:07 +06:00			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: redis-with-volume-secrets`
			`spec:`
			`containers:`
			`- name: redis`
			`image: redis`
			`volumeMounts:`
			`- name: foo`
			`mountPath: "/etc/foo"`
			`readOnly: true`
			`volumes:`
			`- name: foo`
			`secret:`
			`secretName: mysecret`
			```

Add how to look up the secrets in both cases (#41) * Add how to look up the secrets in both cases * Update README.md * lint 2019-05-23 14:46:29 +06:00			`You can look up the secrets in the pod by connecting to the pod:`

			```sh
			`$ kubectl exec -ti redis-with-volume-secrets /bin/bash`
			`root@redis-with-volume-secrets:/data# cd /etc/foo/`
			`root@redis-with-volume-secrets:/etc/foo# ls`
			`password username`
			```

Various fixes (#57) * fix: fix internal service filename in 08-service section * fix: typo * fix: fix markdownlint in CI * fix: typo * fix: typo * fix: `environment variables`, not `environmental` * fix: typo & missing punctuation * fix: `much` not `many` * fix: `lets` not `let's` * fix: typo * fix: typo * fix: phrasing * fix: typo * fix: typo * fix: mysql operator manifest api version got this error while trying to run it as is: error: unable to recognize "20-operators/01-mysql-operator.yml": no matches for kind "Deployment" in version "apps/v1beta1" * fix: spelling 2020-01-29 21:41:07 +06:00			`## Reference the secret by using environment variables`
Add how to look up the secrets in both cases (#41) * Add how to look up the secrets in both cases * Update README.md * lint 2019-05-23 14:46:29 +06:00
feat: add section on secrets 2019-05-09 19:41:07 +06:00			Here we bind the value `username` from the secret `mysecret` to the env variable `SECRET_USERNAME`,
			`password` from the secret `mysecret` to the env variable `SECRET_PASSWORD`:

fix: use yml in markdown (#27) 2019-05-21 15:09:13 +06:00			```yml
feat: add section on secrets 2019-05-09 19:41:07 +06:00			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: redis-with-env-secrets`
			`spec:`
			`containers:`
			`- name: redis`
			`image: redis`
			`env:`
			`- name: SECRET_USERNAME`
			`valueFrom:`
			`secretKeyRef:`
			`name: mysecret`
			`key: username`
			`- name: SECRET_PASSWORD`
			`valueFrom:`
			`secretKeyRef:`
			`name: mysecret`
			`key: password`
			```

Add how to look up the secrets in both cases (#41) * Add how to look up the secrets in both cases * Update README.md * lint 2019-05-23 14:46:29 +06:00			`You can look up the secrets in the pod by connecting to the pod:`

			```sh
			`$ kubectl exec -ti redis-with-env-secrets /bin/bash`
			`root@redis-with-env-secrets:/data# echo $SECRET_USERNAME`
			`admin`
			`root@redis-with-env-secrets:/data# echo $SECRET_PASSWORD`
			`1f2d1e2e67df`
			```

feat: add section on secrets 2019-05-09 19:41:07 +06:00			`Careful, if you change a secret after starting the pods, it won't update the pods. So you need to restart them.`
fix(secrets): add cleanup (#16) 2019-05-14 19:36:19 +06:00
			`## Clean up`

fix: use sh in md (#28) 2019-05-21 15:10:59 +06:00			```sh
fix(secrets): add cleanup (#16) 2019-05-14 19:36:19 +06:00			`kubectl delete service,deployment,pod,secrets --all`
			```
feat: add some links for further readings 2019-05-14 19:47:24 +06:00
			`## Links`

			`* https://kubernetes.io/docs/concepts/configuration/secret/`