Secret

Two Way 

 

Imperative Method

kubectl create secret generic
    <secret-name> --from-literal=<key>=<value>

kubectl create secret generic \
    app-secret --from-literal=DB_Host=mysql    \
               --from-literal=DB_User=root
               --from-literal=DB_Password=paswrd

 

kubectl create secret generic
    <secret-name> --from-file=<path-to-file>

kubectl create secret generic \
     app-secret --from-file=app_secret.properties

 

Declarative Method

kubectl create -f

 

secret-data.yaml

apiVersion: v1
kind:  Secret
metadata:
  name: app-secret
data:
  DB_Host: mysql
  DB_User: root
  DB_Password: paswrd

kubectl create -f secret-data.yaml

 

[Encode Secrets]

 

DB_Host: mysql
DB_User: root
DB_Password: paswrd

 

$ echo -n 'mysql' | base64
bXlzcWw=

$ echo -n 'root' | base64
cm9vdA==

$ echo -n 'paswrd' | base64
cGFzd3Jk

 

DB_Host: bXlzcWw=
DB_User: cm9vda==
DB_Password: cGFzd3Jk

 

[View Secrets]

kubectl get secrets

 

$ kubectl describe secrets
-------------------------
Name:        app-secret
Namespace:   default
Labels:      <none>
Annotations: <none>

Type: Opaque

Data
====
DB_Host:      10bytes
DB_Password:  6 bytes
DB_User:      4 bytes

 

$ kubectl get secret app-secret -o yaml

apiVersion: v1
data:
  DB_Host: bxlzcWw=
  DB_Password: cGFzd3Jk
  DB_User: cm9vdA==
kind: Secret
metadata:
  name: app-secret
  namespace: default
  ~~~

 

[Decode Secrets]

 

DB_Host: bXlzcWw=
DB_User: cm9vda==
DB_Password: cGFzd3Jk

 

$ echo -n 'bXlzcWw=' | base64 --decode
mysql

$ echo -n 'cm9vdA==' | base64 --decode
root

$ echo -n 'cGFzd3Jk' | base64 --decode
paswrd

 

DB_Host: mysql
DB_User: root
DB_Password: paswrd

 

[Secrets in Pods]

 

pod-definition.yaml

apiVersion: v1
kindd: Pod
metadata:
  name: simple-webapp-color
  labels:
    name: simple-webapp-color
spec:
  containers:
  - name: simple-webapp-color
    image: simple-webapp-color
    ports:
      - containerPort: 8080
    envFrom:
      - secretRef: 
          name: app-secret