mirrors
/
kubernetes-hands-on
mirror of https://github.com/algolia/kubernetes-hands-on.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
sarah/refresh
feat/adjust-pdb
feat/adjust-ingress-resource
chore/update-ci-images
master
fix/kind-apiVersion
test-ci
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
kubernetes-hands-on/10-secrets
History
Xavier Grand 17f20eeabe
Fix kubectl exec (#61) 
Error:
```
$> kubectl exec -ti redis-with-volume-secrets /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
error: unable to upgrade connection: container not found ("redis")
```
 		4 years ago
..
01-secrets.yml chore: lint yaml (#19) 5 years ago
README.md Fix kubectl exec (#61) 4 years ago

README.md

Secrets

Objects of type Secret are intended to hold sensitive information, such as passwords, OAuth tokens, and ssh keys. Putting this information in a secret is safer and more flexible than putting it verbatim in a pod definition or in a docker image.

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4= # admin
  password: cGFzc3dvcmQ= # password
  • data: is a list of key/values. The values must be in base64.

You can apply the file:

$ kubectl apply -f 10-secrets/01-secrets.yml
secret "mysecret" created

You can reference a secret from a pod, either per env variable or mounting a volume containing a secret.

Reference the secret by mounting it as a volume

Here we mount the secret mysecret to the path /etc/foo inside the pod:

apiVersion: v1
kind: Pod
metadata:
  name: redis-with-volume-secrets
spec:
  containers:
  - name: redis
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret

You can look up the secrets in the pod by connecting to the pod:

$ kubectl exec -ti redis-with-volume-secrets -- /bin/bash
root@redis-with-volume-secrets:/data# cd /etc/foo/
root@redis-with-volume-secrets:/etc/foo# ls
password  username

Reference the secret by using environment variables

Here we bind the value username from the secret mysecret to the env variable SECRET_USERNAME, password from the secret mysecret to the env variable SECRET_PASSWORD:

apiVersion: v1
kind: Pod
metadata:
  name: redis-with-env-secrets
spec:
  containers:
  - name: redis
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password

You can look up the secrets in the pod by connecting to the pod:

$ kubectl exec -ti redis-with-env-secrets /bin/bash
root@redis-with-env-secrets:/data# echo $SECRET_USERNAME
admin
root@redis-with-env-secrets:/data# echo $SECRET_PASSWORD
1f2d1e2e67df

Careful, if you change a secret after starting the pods, it won't update the pods. So you need to restart them.

Clean up

kubectl delete service,deployment,pod,secrets --all

Links