Deploying Kubernetes Secrets with CircleCI

If you are using Kubernetes with CircleCI there is a simple way for engineers to ship secrets using the Environment Variables feature and an appropriate prefix.

Add your environment variables

Insert an environment variable with the appropriate prefix.

To generate the Kubernetes Secrets Manifest in your code have a CircleCI task to generate the variables with the following script.

Code to Generate Secrets

!/usr/bin/env python

import base64
import os
import json
import sys

environment = sys.argv[1]
environment = environment.upper()

# Only grab the variables that are pertinent to the environment.
data = {}
for env, val in os.environ.iteritems():
	if env.startswith(environment):
		 data[env[len(environment)+1:]] = base64.standard_b64encode(val)

json_output = {
	"apiVersion": "v1",
	"kind": "Secret",
	"metadata": {
		"name": environment.lower()
	},
	"type": "Opaque",
	"data": data,
}

print json.dumps(json_output)

Now whenever ./envtokubesecrets.py production > production-secrets.json is called it looks for env variables that start with PRODUCTION and generates a manifest.

To apply this manifest run kubectl apply -f production-secrets.json it

publishes those under the secrets production when you call kubectl get secrets

opsZero — DevOps for Startups