What are Kubernetes secrets used for?
For example, if you are deploying an application that uses a database, then you would need a secure way to give your application the database credentials.
That's one of the use cases where you should use secrets. So the way it works in practice:
1) You create a secret called db-credentials:
apiVersion: v1
kind: Secret
metadata:
name: db-credentials
type: Opaque
data:
username: cm9vdA==
password: cGFzc3dvcmQ=
Note, the values in username and password are base64 encoded. In order to get these values, you can execute this on your terminal:
echo -n 'root' | base64 cm9vdA==
echo -n 'password' | base64 cGFzc3dvcmQ=
Note: don't forget to use the -n option.
Note: Base64 is not a security mechanism. They can easily be decoded and read.
Also, the "Opaque" type is the default type of secret. You can use this one for secrets with credentials. There are other types for different types of secrets, like the service-account-token type for the k8s user tokens or tls type, among others.
2) Once you have created the secret, you can use it in your application's deployment file. Note: secret has to be in the same namespace as the application using that secret.
This is how the secret usage in the deployment config will look like:
apiVersion: v1
kind: Deployment
metadata:
name: my-app
spec:
containers:
- name: my-app
image: my-app-image:tag
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-credentials
key: password
You can also use secret as a file, not just an environmental variable, for example, as a properties file, where you can list multiple system credentials, which then the application can read from its container file system instead of as environmental variables.
In order to create a file secret:
apiVersion: v1
kind: Secret
metadata:
name: db-credentials
type: Opaque
data:
secret-file.txt: |
username: cm9vdA==
password: cGFzc3dvcmQ=
This will create a secret-file.txt with the username and password contents. Now to use this in the deployment, you will have to read it from the file system.
So you should adjust the deployment like this:
apiVersion: v1
kind: Deployment
metadata:
name: my-app
spec:
containers:
- name: my-app
image: my-app-image:tag
volumeMounts:
- name: secret-file
mountPath: "/etc/secrets"
volumes:
- name: secret-file
secret:
secretName: db-credential
Another use case for secret files is tls certificates, which have their own secret type: "tls."
It's more convenient to create them using kubectl on the command line.
A command for creating a secret using kubectl:
kubectl create secret tls my-certificate --key ./tls.key --cert ./tls.crt --namespace=my-ns
kubectl create secret {secret-type} {secret-name} ...
This will result in a secret config file that looks like this:
apiVersion: v1
kind: Secret
metadata:
name: my-certificate
type: tls
data:
tls.key: |
certificate-key-contents
...
tls.crt: |
certificate-contents
...
Want to become a Kubernetes administrator?
Then, check out this comprehensive and practical course to become a Kubernetes administrator and master the Certified Kubernetes Administrator exam 🚀: