kubectl create secret generic <secret-name>
--from-literal=<key>=<encrypted value>
kubectl create secret generic app-secret \
--from-literal=DB_Host=bXlzcWw= \
--from-literal=DB_User=cm9vdA== \
--from-literal=DB_Password=bXlwYXNzd29yZA==
kubectl create secret generic <secret-name>
--from-file=file_name.properties
echo "username:mysql_user\npassword:mypassword" > myfile.properties
kubectl create secret generic my-secret \
--from-file=myfile.properties
All values need to be encoded with base64 encryption.
To encrypt a value:
>echo -n "mysql" |base64
>bXlzcWw=
kubectl create -f <file.yml>
apiVersion: v1
kind: Secret
metadata:
name: app-secret
type: Opaque
data:
DB_Host: bXlzcWw=
DB_User: cm9vdA==
DB_Password: bXlwYXNzd29yZA==
Again, note that the values should be encrypted in the file.
kubectl get secrets
NAME TYPE DATA AGE
app-secret Opaque 3 4s
default-token-4brx8 kubernetes.io/service-account-token 3 10d
>kubectl describe secrets app-secret
Name: app-secret
Namespace: aaron
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
DB_Host: 8 bytes
DB_Password: 16 bytes
DB_User: 8 bytes
>k get secrets app-secret -o yaml
apiVersion: v1
kind: Secret
metadata:
name: app-secret
data:
DB_Host: YlhsemNXdz0=
DB_Password: Ylhsd1lYTnpkMjl5WkE9PQ==
DB_User: Y205dmRBPT0=
type: Opaque
or
kubectl get secret app-secret -o jsonpath='{.data}'
{"DB_Host":"bXlzcWw=","DB_Password":"bXlwYXNzd29yZA==","DB_User":"cm9vdA=="}%
kubectl get secrets username -o jsonpath='{.data.username}' |base64 -d && echo ""
Need to add the envFrom: section to the container section of the pod yaml. Adding this secret will make all of the key/value pairs found in the secret available to the container via environment variables.
apiVersion: v1
kind: Pod
metadata:
name: simple-webapp-color
labels: simple-webapp-color
spec:
containers:
- name: simple-webapp-color
image: simple-webapp-color
ports:
- containerPort: 8080
envFrom:
- secretRef:
name: app-secret #create env vars from app-secret key/value pairs
As single environment variable (Only ref one key-value from a secret)
spec:
containers:
- name: <container_name>
image: <container_image>
env:
- name: <env variable> #DB_Password
valueFrom:
secretKeyRef:
name: <secret_name> #app-secret
key: <secret_key> #DB_Password
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: app-secret
mountPath: "/opt/app-secret"
readOnly: true
volumes:
- name: app-secret-volume
secret:
secretName: app-secret
Note:
When creating secrets as volumes, each key/value pair from the secret is stored in a separate file in the directory specified in the volumeMount.mountPath.
The encrypted value of the secret is the only thing stored in the file and is encrypted.
root@nginx:/opt/app-secret# ls -l
total 0
lrwxrwxrwx 1 root root 14 Dec 1 19:47 DB_Host -> ..data/DB_Host
lrwxrwxrwx 1 root root 18 Dec 1 19:47 DB_Password -> ..data/DB_Password
lrwxrwxrwx 1 root root 14 Dec 1 19:47 DB_User -> ..data/DB_User
root@nginx:/opt/app-secret# cat DB_Host |base64 --decod && echo " "
mysql