Hey Hi,
Happy to join back to my Kubernetes series. In our previous blogs on k8s we have done the following:
Kubernetes setup in AWS:
https://opsinsights.dev/my-first-path-to-kubernetes-setup%e2%80%8a-%e2%80%8apart-1-of-2/
Let’s learn some best practices on handling the credentials in Kubernetes.
There are several methods of handling secrets in Kubernetes. this is mainly meant to use mission-critical information which is not to be exposed in the codebase.
First, let’s create a deployment with all our required secrets, to proceed further, base64 encoded secrets are required which are to be deployed
apiVersion: v1
data:
DATABASE_NAME: YW5pbWAFrASDZXJfZGV2
DATABASE_USER: YW5pASDbWFFwcDFAASVzZXI= DATABASE_HOST:YW5pbWFrZXItZGV2ZWASDxvcC5jOWtwaTFDAFhaTE5ZWMudXMtd2VzdC0yLnJkcy5hbWF6b25hd3MuYASD29t DATABASE_PORT: MzSDFDSFMwNg==
DATABASE_PASSWORD: QU5ASXCXZSW1hYSFQUHVzMQ==
kind: Secret
metadata:
name: demo
namespace: default
type: Opaque
To create base64 encoded values:
echo 'k8s-demo' | base64
output: azhzLWRlbW8K
To confirm your input is the same as the output decode and verify it
echo 'azhzLWRlbW8K' | base64 --decode
Once you have all the secrets ready, let’s move to pod deployment. Below is a sample excerpt of the secrets.yaml file
I have updated my database credentials with this deployment. Once done. deploy it
kubectl apply -f secrets.yaml
verify your deployment by kubectl get secrets demo
Hmm, in-order to use this as env variable in our pods/container. Modify the deployment configuration as shown below and proceed with your pod deployments.
containers:
- name: jenkins-app
image: <IMAGE REPO URL>
env:
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: demo
key: SECRET_KEY
- name: GOOGLE_OAUTH2_KEY
valueFrom:
secretKeyRef:
name: demo
key: GOOGLE_OAUTH2_KEY
- name: GOOGLE_OAUTH2_SECRET
valueFrom:
secretKeyRef:
name: demo
key: GOOGLE_OAUTH2_SECRET
To confirm your setup; SSH into the pod and list all the environment variables. you can see all the fields which we have mapped thus far.
Originally published at https://opsinsights.dev on April 22, 2019.