5ebea66c4d
* Add how to look up the secrets in both cases * Update README.md * lint |
||
---|---|---|
.. | ||
01-secrets.yml | ||
README.md |
README.md
Secrets
Objects of type Secret
are intended to hold sensitive information, such as passwords, OAuth tokens, and ssh keys. Putting this information in a secret is safer and more flexible than putting it verbatim in a pod definition or in a docker image.
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4= # admin
password: cGFzc3dvcmQ= # password
data
: is a list of key/values. The values must be in base64.
You can apply the file:
$ kubectl apply -f 10-secrets/01-secrets.yml
secret "mysecret" created
You can reference a secret from a pod, either per env variable or mounting a volume containing a secret.
Reference the secret by mounting it as a volume
Here we mount the secret mysecret
to the path /etc/foo
inside the pod:
apiVersion: v1
kind: Pod
metadata:
name: redis-with-volume-secrets
spec:
containers:
- name: redis
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
You can look up the secrets in the pod by connecting to the pod:
$ kubectl exec -ti redis-with-volume-secrets /bin/bash
root@redis-with-volume-secrets:/data# cd /etc/foo/
root@redis-with-volume-secrets:/etc/foo# ls
password username
Reference the secret by using environmental variables
Here we bind the value username
from the secret mysecret
to the env variable SECRET_USERNAME
,
password
from the secret mysecret
to the env variable SECRET_PASSWORD
:
apiVersion: v1
kind: Pod
metadata:
name: redis-with-env-secrets
spec:
containers:
- name: redis
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
You can look up the secrets in the pod by connecting to the pod:
$ kubectl exec -ti redis-with-env-secrets /bin/bash
root@redis-with-env-secrets:/data# echo $SECRET_USERNAME
admin
root@redis-with-env-secrets:/data# echo $SECRET_PASSWORD
1f2d1e2e67df
Careful, if you change a secret after starting the pods, it won't update the pods. So you need to restart them.
Clean up
kubectl delete service,deployment,pod,secrets --all