Configuration mgt in Kubernetes 2 (Secrets)
If I tell you a secret, can you keep it?
Let me tell you that secret
Secrets in Kubernetes are dedicated resources used for securely storing and managing sensitive information within a Kubernetes cluster. They are specifically designed to handle confidential data such as passwords, API keys, certificates, tokens, or any other sensitive information required by applications running in the cluster.
Secrets provide a secure and centralized way to store this sensitive data, ensuring it is not exposed in plain text or easily accessible to unauthorized users. They are encrypted at rest within the Kubernetes etcd datastore, ensuring the confidentiality of the stored information.
Some common examples of sensitive information that can be stored in Secrets include:
- Passwords: Secrets can securely store passwords required for accessing databases, external services, or other protected resources.
- API Keys and Tokens: Secrets can hold API keys or tokens required for authenticating and authorizing access to external APIs or services.
- TLS Certificates: Secrets are commonly used to store SSL/TLS certificates and private keys used for securing communication between applications or services.
- SSH Keys: Secrets can securely store SSH keys used for secure remote access or authentication purposes.
- Configuration Files: Secrets can store sensitive configuration files that contain sensitive information required by applications, such as database connection strings or authentication credentials.
Type of secrets
Let’s explore the two main types of Secrets in Kubernetes
- Generic Secrets: Generic Secrets in Kubernetes are used to store simple key-value pairs of sensitive data. They are commonly used for storing passwords, access tokens, or any other sensitive information that can be represented as key-value pairs. Here’s an example of creating and using a Generic Secret:
Step 1: Create a Generic Secret Create a Generic Secret manually using the kubectl create secret generic command:
kubectl create secret generic our-secret --from-literal=username=admin --from-literal=password=secretpasswordThis command creates a Secret named our-secret with two key-value pairs: username and password.
Step 2: Consume the Secret To consume the Secret in a deployment, you can inject it as environment variables:
spec:
template:
spec:
containers:
- name: our-app
image: our-image
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: our-secret
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: our-secret
key: passwordThe Secret our-secret is consumed as environment variables USERNAME and PASSWORD in the deployment.
2. TLS Secrets: TLS Secrets in Kubernetes are used to store SSL/TLS certificates and private keys. They enable secure communication between applications or services. Let’s see how to create and use a TLS Secret:
Step 1: Create a TLS Secret Create a TLS Secret by providing the certificate and key files:
kubectl create secret tls our-tls-secret --cert=path/to/cert.pem --key=path/to/key.pemThis command creates a TLS Secret named our-tls-secret using the provided certificate and key files.
Step 2: Use the Secret To use the TLS Secret in an Ingress resource, you can specify the secretName field:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: our-ingress
spec:
tls:
- hosts:
- ourdomain.com
secretName: our-tls-secret
rules:
- host: ourdomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: our-service
port:
number: 80In this example, the TLS Secret our-tls-secret is used in the Ingress resource to configure SSL/TLS encryption for the specified domain.
Other ways of using secret
They are other ways to use or mount secrets, we see them below.
Storing API keys and tokens with secret
Storing API keys or tokens in Secrets allows secure access to external APIs. Here’s an example of creating a Secret to store an API key:
Step 1: Create a Generic Secret Create a Generic Secret with the API key:
kubectl create secret generic api-key --from-literal=key=ourapikeyThis command creates a Secret named “api-key” with the specified API key.
Step 2: Consume the Secret In your application deployment, reference the Secret to retrieve the API key as an environment variable:
spec:
template:
spec:
containers:
- name: our-app
image: our-image
env:
- name: API_KEY
valueFrom:
secretKeyRef:
name: api-key
key: keyIn this example, the Secret “api-key” is consumed by the application as an environment variable API_KEY.
Mounting Secrets as Volumes
- Create a Secret: Let’s create a Secret named our-secret with a TLS certificate and key:
kubectl create secret tls our-tls-secret --cert=path/to/cert.pem --key=path/to/key.pem2. Mount the Secret as a Volume in a Deployment: In your application’s deployment configuration, mount the Secret as a volume:
spec:
template:
spec:
containers:
- name: our-app
image: our-image
volumeMounts:
- name: tls-secret
mountPath: /path/to/certs
readOnly: true
volumes:
- name: tls-secret
secret:
secretName: our-tls-secretThis configuration mounts the Secret our-tls-secret as a volume at the specified path (/path/to/certs) within the container running the application.
3. Access the Secret Data in the Application: Within your application’s code, access the mounted files from the Secret volume:
cert_path = '/path/to/certs/cert.pem'
key_path = '/path/to/certs/key.pem'
# Use the certificate and key files in your application logicBy accessing the files from the mounted volume, your application can securely utilize the secret data.
Conclusion
In this article, we have discussed about secrets, it’s types, and other ways of using them in the Kubernetes environment.
