a5b4383297
* fix: fix internal service filename in 08-service section * fix: typo * fix: fix markdownlint in CI * fix: typo * fix: typo * fix: `environment variables`, not `environmental` * fix: typo & missing punctuation * fix: `much` not `many` * fix: `lets` not `let's` * fix: typo * fix: typo * fix: phrasing * fix: typo * fix: typo * fix: mysql operator manifest api version got this error while trying to run it as is: error: unable to recognize "20-operators/01-mysql-operator.yml": no matches for kind "Deployment" in version "apps/v1beta1" * fix: spelling |
||
---|---|---|
.. | ||
01-secrets.yml | ||
README.md |
README.md
Secrets
Objects of type Secret
are intended to hold sensitive information, such as passwords, OAuth tokens, and ssh keys. Putting this information in a secret is safer and more flexible than putting it verbatim in a pod definition or in a docker image.
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4= # admin
password: cGFzc3dvcmQ= # password
data
: is a list of key/values. The values must be in base64.
You can apply the file:
$ kubectl apply -f 10-secrets/01-secrets.yml
secret "mysecret" created
You can reference a secret from a pod, either per env variable or mounting a volume containing a secret.
Reference the secret by mounting it as a volume
Here we mount the secret mysecret
to the path /etc/foo
inside the pod:
apiVersion: v1
kind: Pod
metadata:
name: redis-with-volume-secrets
spec:
containers:
- name: redis
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
You can look up the secrets in the pod by connecting to the pod:
$ kubectl exec -ti redis-with-volume-secrets /bin/bash
root@redis-with-volume-secrets:/data# cd /etc/foo/
root@redis-with-volume-secrets:/etc/foo# ls
password username
Reference the secret by using environment variables
Here we bind the value username
from the secret mysecret
to the env variable SECRET_USERNAME
,
password
from the secret mysecret
to the env variable SECRET_PASSWORD
:
apiVersion: v1
kind: Pod
metadata:
name: redis-with-env-secrets
spec:
containers:
- name: redis
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
You can look up the secrets in the pod by connecting to the pod:
$ kubectl exec -ti redis-with-env-secrets /bin/bash
root@redis-with-env-secrets:/data# echo $SECRET_USERNAME
admin
root@redis-with-env-secrets:/data# echo $SECRET_PASSWORD
1f2d1e2e67df
Careful, if you change a secret after starting the pods, it won't update the pods. So you need to restart them.
Clean up
kubectl delete service,deployment,pod,secrets --all