feat: add section on secrets

11-secrets/01-secrets.yml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mysecret
+type: Opaque
+data:
+  username: YWRtaW4=
+  password: MWYyZDFlMmU2N2Rm

11-secrets/README.md

@@ -0,0 +1,73 @@
+# Secrets
+
+Objects of type `Secret` are intended to hold sensitive information, such as passwords, OAuth tokens, and ssh keys. Putting this information in a secret is safer and more flexible than putting it verbatim in a pod definition or in a docker image.
+
+```yml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mysecret
+type: Opaque
+data:
+  username: YWRtaW4= # admin
+  password: cGFzc3dvcmQ= # password
+```
+
+* `data`: is a list of key/values. The values must be in base64.
+
+You can apply the file:
+
+```bash
+$ kubectl apply -f 11-secrets/01-secrets.
+secret "mysecret" created
+```
+
+You can reference a secret from a pod, either per env variable or mounting a volume containing a secret.
+
+Here we mount the secret `mysecret` to the path `/etc/foo` inside the pod:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: redis-with-volume-secrets
+spec:
+  containers:
+  - name: redis
+    image: redis
+    volumeMounts:
+    - name: foo
+      mountPath: "/etc/foo"
+      readOnly: true
+  volumes:
+  - name: foo
+    secret:
+      secretName: mysecret
+```
+
+Here we bind the value `username` from the secret `mysecret` to the env variable `SECRET_USERNAME`,
+`password` from the secret `mysecret` to the env variable `SECRET_PASSWORD`:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: redis-with-env-secrets
+spec:
+  containers:
+  - name: redis
+    image: redis
+    env:
+      - name: SECRET_USERNAME
+        valueFrom:
+          secretKeyRef:
+            name: mysecret
+            key: username
+      - name: SECRET_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: mysecret
+            key: password
+```
+
+Careful, if you change a secret after starting the pods, it won't update the pods. So you need to restart them.