107 lines
2.4 KiB
Markdown
107 lines
2.4 KiB
Markdown
# Secrets
|
|
|
|
Objects of type `Secret` are intended to hold sensitive information, such as passwords, OAuth tokens, and ssh keys. Putting this information in a secret is safer and more flexible than putting it verbatim in a pod definition or in a docker image.
|
|
|
|
```yml
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: mysecret
|
|
type: Opaque
|
|
data:
|
|
username: YWRtaW4= # admin
|
|
password: cGFzc3dvcmQ= # password
|
|
```
|
|
|
|
* `data`: is a list of key/values. The values must be in base64.
|
|
|
|
You can apply the file:
|
|
|
|
```sh
|
|
$ kubectl apply -f 10-secrets/01-secrets.yml
|
|
secret "mysecret" created
|
|
```
|
|
|
|
You can reference a secret from a pod, either per env variable or mounting a volume containing a secret.
|
|
|
|
## Reference the secret by mounting it as a volume
|
|
|
|
Here we mount the secret `mysecret` to the path `/etc/foo` inside the pod:
|
|
|
|
```yml
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: redis-with-volume-secrets
|
|
spec:
|
|
containers:
|
|
- name: redis
|
|
image: redis
|
|
volumeMounts:
|
|
- name: foo
|
|
mountPath: "/etc/foo"
|
|
readOnly: true
|
|
volumes:
|
|
- name: foo
|
|
secret:
|
|
secretName: mysecret
|
|
```
|
|
|
|
You can look up the secrets in the pod by connecting to the pod:
|
|
|
|
```sh
|
|
$ kubectl exec -ti redis-with-volume-secrets /bin/bash
|
|
root@redis-with-volume-secrets:/data# cd /etc/foo/
|
|
root@redis-with-volume-secrets:/etc/foo# ls
|
|
password username
|
|
```
|
|
|
|
## Reference the secret by using environment variables
|
|
|
|
Here we bind the value `username` from the secret `mysecret` to the env variable `SECRET_USERNAME`,
|
|
`password` from the secret `mysecret` to the env variable `SECRET_PASSWORD`:
|
|
|
|
```yml
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: redis-with-env-secrets
|
|
spec:
|
|
containers:
|
|
- name: redis
|
|
image: redis
|
|
env:
|
|
- name: SECRET_USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: mysecret
|
|
key: username
|
|
- name: SECRET_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: mysecret
|
|
key: password
|
|
```
|
|
|
|
You can look up the secrets in the pod by connecting to the pod:
|
|
|
|
```sh
|
|
$ kubectl exec -ti redis-with-env-secrets /bin/bash
|
|
root@redis-with-env-secrets:/data# echo $SECRET_USERNAME
|
|
admin
|
|
root@redis-with-env-secrets:/data# echo $SECRET_PASSWORD
|
|
1f2d1e2e67df
|
|
```
|
|
|
|
Careful, if you change a secret after starting the pods, it won't update the pods. So you need to restart them.
|
|
|
|
## Clean up
|
|
|
|
```sh
|
|
kubectl delete service,deployment,pod,secrets --all
|
|
```
|
|
|
|
## Links
|
|
|
|
* https://kubernetes.io/docs/concepts/configuration/secret/
|