Kubernetes — Managing Secret

Kubernetes — Managing Secret

Jothimani Radhakrishnan's photo
Jothimani Radhakrishnan
·Apr 22, 2019·

2 min read

Hey Hi,

Happy to join back to my Kubernetes series. In our previous blogs on k8s we have done the following:

Kubernetes setup in AWS:

https://opsinsights.dev/my-first-path-to-kubernetes-setup%e2%80%8a-%e2%80%8apart-1-of-2/

https://opsinsights.dev/my-first-path-to-kubernetes-setup-in-production%e2%80%8a-%e2%80%8apart-2-of-2/

Let’s learn some best practices on handling the credentials in Kubernetes.

There are several methods of handling secrets in Kubernetes. this is mainly meant to use mission-critical information which is not to be exposed in the codebase.

First, let’s create a deployment with all our required secrets, to proceed further, base64 encoded secrets are required which are to be deployed

apiVersion: v1
 data: 
DATABASE_NAME: YW5pbWAFrASDZXJfZGV2 
DATABASE_USER: YW5pASDbWFFwcDFAASVzZXI= DATABASE_HOST:YW5pbWFrZXItZGV2ZWASDxvcC5jOWtwaTFDAFhaTE5ZWMudXMtd2VzdC0yLnJkcy5hbWF6b25hd3MuYASD29t DATABASE_PORT: MzSDFDSFMwNg== 
DATABASE_PASSWORD: QU5ASXCXZSW1hYSFQUHVzMQ== 
kind: Secret 
metadata: 
 name: demo 
 namespace: default 
 type: Opaque

To create base64 encoded values:

echo 'k8s-demo' | base64 output: azhzLWRlbW8K

To confirm your input is the same as the output decode and verify it

echo 'azhzLWRlbW8K' | base64 --decode

Once you have all the secrets ready, let’s move to pod deployment. Below is a sample excerpt of the secrets.yaml file

I have updated my database credentials with this deployment. Once done. deploy it

kubectl apply -f secrets.yaml

verify your deployment by kubectl get secrets demo

Hmm, in-order to use this as env variable in our pods/container. Modify the deployment configuration as shown below and proceed with your pod deployments.

containers:
 - name: jenkins-app
 image: <IMAGE REPO URL>
 env:
 - name: SECRET_KEY
 valueFrom:
 secretKeyRef:
 name: demo
 key: SECRET_KEY
 - name: GOOGLE_OAUTH2_KEY
 valueFrom:
 secretKeyRef:
 name: demo
 key: GOOGLE_OAUTH2_KEY
 - name: GOOGLE_OAUTH2_SECRET
 valueFrom:
 secretKeyRef:
 name: demo
 key: GOOGLE_OAUTH2_SECRET

To confirm your setup; SSH into the pod and list all the environment variables. you can see all the fields which we have mapped thus far.

Originally published at https://opsinsights.dev on April 22, 2019.

Did you find this article valuable?

Support Jothimani Radhakrishnan by becoming a sponsor. Any amount is appreciated!

Learn more about Hashnode Sponsors
 
Share this