Deploying Kubernetes Secrets with CircleCI
If you are using Kubernetes with CircleCI there is a simple way for engineers to ship secrets using the Environment Variables feature and an appropriate prefix.
Add your environment variables
Insert an environment variable with the appropriate prefix.
To generate the Kubernetes Secrets Manifest in your code have a CircleCI task to generate the variables with the following script.
Code to Generate Secrets
!/usr/bin/env python
import base64
import os
import json
import sys
environment = sys.argv[1]
environment = environment.upper()
# Only grab the variables that are pertinent to the environment.
data = {}
for env, val in os.environ.iteritems():
if env.startswith(environment):
data[env[len(environment)+1:]] = base64.standard_b64encode(val)
json_output = {
"apiVersion": "v1",
"kind": "Secret",
"metadata": {
"name": environment.lower()
},
"type": "Opaque",
"data": data,
}
print json.dumps(json_output)
Now whenever ./envtokubesecrets.py production > production-secrets.json
is called it looks for env variables that start with PRODUCTION
and generates a manifest.
To apply this manifest run kubectl apply -f production-secrets.json
it
publishes those under the secrets production
when you call kubectl get secrets