How to create Kubernetes secrets?

Aktualisiert: 21. Dez 2019

What are Kubernetes secrets used for?

For example if you are deploying an application that uses a database, then you would need a secure way to give your application the database credentials.

That's one of the use cases where you should use secrets. So the way it works in practice:


1. You create a secret called db-credentials:


apiVersion: v1 kind: Secret metadata: name: db-credentials type: Opaque data: username: cm9vdA== password: cGFzc3dvcmQ=


Note the values in username and password are base64 encoded. In order to get these values you can execute this on your terminal:


echo -n 'root' | base64 cm9vdA== echo -n 'password' | base64 cGFzc3dvcmQ=


Note: don't forget to use -n option.


Also type Opaque is the default type of secrets. You can use this one for secrets with credentials. There are other types for different types of secrets, like service-account-token type for the k8s user tokens or tls type, among others.


2. Once you have created the secret, you can use it in your application's deployment file. Note: secret has to be in the same namespace as the application using that secret.


This is how the secret usage in deployment config will look like:


apiVersion: v1 kind: Deployment metadata: name: my-app spec: containers: - name: my-app image: my-app-image:tag env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-credentials

key: password


You can also use secret as a file, not just an environmental variable, for example as a properties file, where you can list multiple system credentials, which then the application can read from its container file system instead of as environmental variables.


In order to create a file secret:


apiVersion: v1 kind: Secret metadata: name: db-credentials type: Opaque data: secret-file.txt: | username: cm9vdA==

password: cGFzc3dvcmQ=


This will create a secret-file.txt with the username and password contents. Now to use this in the deployment, you will have to read it from the file system.

So you should adjust the deployment like this:


apiVersion: v1 kind: Deployment metadata: name: my-app spec: containers: - name: my-app image: my-app-image:tag volumeMounts: - name: secret-file mountPath: "/etc/secrets" volumes: - name: secret-file

secret:

secretName: db-credentials


Another use case for secret files is tls certificates, which has its own secret type: "tls".

It's more convenient to create them using kubectl on command line.


Command for creating secret using kubectl:

kubectl create secret tls my-certificate --key ./tls.key --cert ./tls.crt --namespace=my-ns


kubectl create secret {secret-type} {secret-name} ...


This will result in a a secret config file, that looks like this:

apiVersion: v1 kind: Secret metadata: name: my-certificate type: tls data: tls.key: | certificate-key-contents

...

tls.crt: | certificate-contents

...



Kubernetes popularity rises constantly. So, what is Kubernetes actually and what problems does it solve - explained here in 15mins:


Nicole Hiller  |  Nana Janashia

Mail: info@nnsoftware.at

©2018 by nnSoftware

This site was designed with the
.com
website builder. Create your website today.
Start Now