What are Kubernetes secrets used for?
For example if you are deploying an application that uses a database, then you would need a secure way to give your application the database credentials.
That's one of the use cases where you should use secrets. So the way it works in practice:
1) You create a secret called db-credentials:
apiVersion: v1
kind: Secret
metadata:
name: db-credentials
type: Opaque
data:
username: cm9vdA==
password: cGFzc3dvcmQ=
Note the values in username and password are base64 encoded. In order to get these values you can execute this on your terminal:
echo -n 'root' | base64 cm9vdA==
echo -n 'password' | base64 cGFzc3dvcmQ=
Note: don't forget to use -n option.
Also type Opaque is the default type of secrets. You can use this one for secrets with credentials. There are other types for different types of secrets, like service-account-token type for the k8s user tokens or tls type, among others.
2) Once you have created the secret, you can use it in your application's deployment file. Note: secret has to be in the same namespace as the application using that secret.
This is how the secret usage in deployment config will look like:
apiVersion: v1
kind: Deployment
metadata:
name: my-app
spec:
containers:
- name: my-app
image: my-app-image:tag
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-credentials
key: password
You can also use secret as a file, not just an environmental variable, for example as a properties file, where you can list multiple system credentials, which then the application can read from its container file system instead of as environmental variables.
In order to create a file secret:
apiVersion: v1
kind: Secret
metadata:
name: db-credentials
type: Opaque
data:
secret-file.txt: |
username: cm9vdA==
password: cGFzc3dvcmQ=
This will create a secret-file.txt with the username and password contents. Now to use this in the deployment, you will have to read it from the file system.
So you should adjust the deployment like this:
apiVersion: v1
kind: Deployment
metadata:
name: my-app
spec:
containers:
- name: my-app
image: my-app-image:tag
volumeMounts:
- name: secret-file
mountPath: "/etc/secrets"
volumes:
- name: secret-file
secret:
secretName: db-credential
Another use case for secret files is tls certificates, which has its own secret type: "tls".
It's more convenient to create them using kubectl on command line.
Command for creating secret using kubectl:
kubectl create secret tls my-certificate --key ./tls.key --cert ./tls.crt --namespace=my-ns
kubectl create secret {secret-type} {secret-name} ...
This will result in a a secret config file, that looks like this:
apiVersion: v1
kind: Secret
metadata:
name: my-certificate
type: tls
data:
tls.key: |
certificate-key-contents
...
tls.crt: |
certificate-contents
...
Top comments (0)