Using Kubernetes Secrets

Binura Gunasekara
Jan 4, 2018 · 6 min read
Image for post
Image for post

Manage, stage and automatically update your application’s production-level environment variables and sensitive files using Kubernetes Secrets

The Basics


Method 1 : Using kubectl

$ kubectl create secret generic my-secret \--from-file=service_account_key=key.json \--from-literal=webhook_token=sdfdgerww4dhgsf643 \--from-literal=slack_token=sffrt64t7uk

Viewing your secret

Name:         my-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: OpaqueData
====
service_account_key: 38 bytes
slack_token: 11 bytes
webhook_token: 18 bytes

Method 2 : Using a custom .yaml file

Encoding? What encoding?

$ kubectl get secret my-secret -o yaml
apiVersion: v1
data:
service_account_key: eyBoZWxsbzogInNkZmFzZCIsCnBhc3N3b3JkOiAid2hhdCIgfQo=
slack_token: c2ZmcnQ2NHQ3dWs=
webhook_token: c2RmZGdlcnd3NGRoZ3NmNjQz
kind: Secret
metadata:
creationTimestamp: 2018-01-04T07:19:33Z
name: my-secret
namespace: default
resourceVersion: "2453821"
selfLink: /api/v1/namespaces/default/secrets/my-secret
uid: 9ce562e7-f11f-11e7-a5c3-42010a9800e4
type: Opaque
$ echo -n some_text_to_encode | base64c29tZV90ZXh0X3RvX2VuY29kZQ==
$ echo c29tZV90ZXh0X3RvX2VuY29kZQ== | base64 -dsome_text_to_encode

Writing our own Secret.yaml file

apiVersion: v1kind: Secret
metadata:
name: my-secret
namespace: default
type: Opaquedata:
service_account_key: eyBoZWxsbzogInNkZmFzZCIsCnBhc3N3b3JkOiAid2hhdCIgfQo=
slack_token: c2ZmcnQ2NHQ3dWs=
webhook_token: c2RmZGdlcnd3NGRoZ3NmNjQz

Warning regarding encoding FILES with base64

$ kubectl apply -f my-secret.yamlsecret "my-secret" created

Adding our secrets to our app’s Container

Mounting a file from a Kubernetes Secret to the Container

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: sample-app
namespace: default
spec:
replicas: 1
template:
metadata:
labels:
app: sample-app
spec
containers:
- name: sample-app
image: gcr.io/google_containers/defaultbackend:1.0
ports:
- containerPort: 8080
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: sample-app
namespace: default
spec:
replicas: 1
template:
metadata:
labels:
app: sample-app
spec
containers:
- name: sample-app
image: gcr.io/google_containers/defaultbackend:1.0
ports:
- containerPort: 8080
volumeMounts:
- name: service-key
mountPath: /root/key.json
subPath: key.json
volumes:
- name: service-key
secret:
secretName: my-secret
items:
- key: service-account-key
path: key.json

Adding Environment Variables from the Secret

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: sample-app
namespace: default
spec:
replicas: 1
template:
metadata:
labels:
app: sample-app
spec
containers:
- name: sample-app
image: gcr.io/google_containers/defaultbackend:1.0
ports:
- containerPort: 8080
volumeMounts:
- name: service-key
mountPath: /root/key.json
subPath: key.json
env:
- name: "AUTH_TOKEN"
valueFrom:
secretKeyRef:
name: my-secret
key: webhook_token
- name: "SLACK_TOKEN"
valueFrom:
secretKeyRef:
name: my-secret
key: slack_token
volumes:
- name: service-key
secret:
secretName: my-secret
items:
- key: service-account-key
path: key.json

Check first — then celebrate!


Updating Secrets


Follow the Platformer Blog for more articles on Kubernetes and Container Orchestration!

Platformer Cloud

Platformer.com

Binura Gunasekara

Written by

Software Engineer at Platformer | I write about Code, DevOps, and all things Kubernetes

Platformer Cloud

Platformer.com Blog | Technical stories written by our team, partners and invited authors on Cloud, Containers, Kubernetes, Serverless, etc

Binura Gunasekara

Written by

Software Engineer at Platformer | I write about Code, DevOps, and all things Kubernetes

Platformer Cloud

Platformer.com Blog | Technical stories written by our team, partners and invited authors on Cloud, Containers, Kubernetes, Serverless, etc

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store