mirrors/kubernetes-hands-on
mirrors
/
kubernetes-hands-on
mirror of https://github.com/algolia/kubernetes-hands-on.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
kubernetes-hands-on/10-secrets
History
antoinegauvain a5b4383297
Various fixes (#57) 
* fix: fix internal service filename in 08-service section

* fix: typo

* fix: fix markdownlint in CI

* fix: typo

* fix: typo

* fix: `environment variables`, not `environmental`

* fix: typo & missing punctuation

* fix: `much` not `many`

* fix: `lets` not `let's`

* fix: typo

* fix: typo

* fix: phrasing

* fix: typo

* fix: typo

* fix: mysql operator manifest api version

got this error while trying to run it as is:

error: unable to recognize "20-operators/01-mysql-operator.yml": no matches for
kind "Deployment" in version "apps/v1beta1"

* fix: spelling
 		2020-01-29 16:41:07 +01:00
..
01-secrets.yml chore: lint yaml (#19) 2019-05-14 18:04:12 +02:00
README.md Various fixes (#57) 2020-01-29 16:41:07 +01:00

README.md

Secrets

Objects of type Secret are intended to hold sensitive information, such as passwords, OAuth tokens, and ssh keys. Putting this information in a secret is safer and more flexible than putting it verbatim in a pod definition or in a docker image.

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4= # admin
  password: cGFzc3dvcmQ= # password
  • data: is a list of key/values. The values must be in base64.

You can apply the file:

$ kubectl apply -f 10-secrets/01-secrets.yml
secret "mysecret" created

You can reference a secret from a pod, either per env variable or mounting a volume containing a secret.

Reference the secret by mounting it as a volume

Here we mount the secret mysecret to the path /etc/foo inside the pod:

apiVersion: v1
kind: Pod
metadata:
  name: redis-with-volume-secrets
spec:
  containers:
  - name: redis
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret

You can look up the secrets in the pod by connecting to the pod:

$ kubectl exec -ti redis-with-volume-secrets /bin/bash
root@redis-with-volume-secrets:/data# cd /etc/foo/
root@redis-with-volume-secrets:/etc/foo# ls
password  username

Reference the secret by using environment variables

Here we bind the value username from the secret mysecret to the env variable SECRET_USERNAME, password from the secret mysecret to the env variable SECRET_PASSWORD:

apiVersion: v1
kind: Pod
metadata:
  name: redis-with-env-secrets
spec:
  containers:
  - name: redis
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password

You can look up the secrets in the pod by connecting to the pod:

$ kubectl exec -ti redis-with-env-secrets /bin/bash
root@redis-with-env-secrets:/data# echo $SECRET_USERNAME
admin
root@redis-with-env-secrets:/data# echo $SECRET_PASSWORD
1f2d1e2e67df

Careful, if you change a secret after starting the pods, it won't update the pods. So you need to restart them.

Clean up

kubectl delete service,deployment,pod,secrets --all

Links