Secrets Use Case:
Assume we are planning to deploy a MySQL Pod in the Kubernetes cluster. MySQL requires much sensitive information such as host IP address, database name, username, and password. We can create a Pod for MySQL using the mentioned information as a Kubernetes Deployment definition file. In this scenario, the configuration information such as username, password, database name is tightly coupled with the Pod definition. And they are easily visible to all developers who had access to the Pod definition file.
In this approach, we are facing two problems.
1. The sensitive information is tightly coupled with Pod and we can not re-use them( means each time we have to type the credentials separately). And updating the credentials is also a tedious task. Why because we need to change the information in each definition file. This approach is not a centralised one.
2. And the sensitive information is visible to all developers who had access to the Pod definition file.
The above-mentioned problems can be easily solved using the Secrets. The Secrets can be re-used and distributed in the Kubernetes cluster.
While using Secrets in the Kubernetes cluster, we will do two activities.
1. Create Secret.
2. Inject the Secret into Pod.
In this tutorial, we will see the following topics.
1. Get a Secret list
2. Create Secret using Imperative way.
3. Create Secret using a Declarative way.
4. Create Secret for MySQL database.
5. Inject Secrets to MySQL Pod.
Get Secrets list:
Use the following command to get the list of secrets present in the current Kubernetes namespace.
kubectl get secrets
Use the describe command to know more about the Secrets in the Kubernetes cluster. This command will list all the secrets.
kubectl describe secrets
If you want to know the particular secret then use the following command.
kubectl get secret secret_name -o yaml #Example kubectl get secret mysql-secrets -o yaml
The above command displays the full yaml file definition used for creating the Secret in Kubernetes.
Create Secret using Imperative way:
We can create the secrets using the kubectl create secret command. The syntax for creating the secret using the imperative method is given below.
kubectl create secret generic secret-name --from-literal=key=value
Create a username secret using the following command.
kubectl create secret generic demo-secret --from-literal=username=raja
If you want to use multiple key-value pairs then use — from-literal option.
kubectl create secret generic demo-secret --from-literal=username=raja \ --from-literal=pasword=raja1234
In the imperative method, we have not encoded the data(username and password). However, if you look at the YAML file, the data will be shown as base64 encoded format
kubectl get secret demo-secret -o yaml
Create Secret using Declarative way:
The syntax for creating the Secrets using the Declarative method is given below.
apiVersion: v1 kind: Secret metadata: name: secret-name data: key1: encoded_value1 key2: encoded_value2
Encode the data using the following commands on Mac/Linux. Or use any online tool to convert data to base64.
echo -n 'your_data' | base64 #Example echo -n 'raja' | base64
Create a file and name it as demo-secrets.yaml. And paste the below code in the file.
apiVersion: v1 kind: Secret metadata: name: demo-secret2 data: username: cmFqYQ== password: cmFqYTEyMzQ=
1. The data section is used to define the key-value pair.
2. By default the type is Opaque. It means key-value pair secret.
Execute the file using the following command.
kubectl apply -f demo-secrets.yaml
Now the secret is created. Get the secrets list using the kubectl command.
kubectl get secrets
Create Secret for MySQL database:
For the demonstration purpose, I am going to create a Pod for the MySQL database. For MySQL, we had two sensitive information such as username and password. So we are going to encode the username and password using the base64 method. However, base64 is not a secure way to store sensitive information. It is an introduction article. So I planned to give a basic idea about Secrets in the Kubernetes cluster. In the future, we will see how to handle sensitive information in a better way using HashiCorp Vault.
We can encode the data to base64 using the Linux command-line tool. The command works both in Mac and Linux. Use the following command to create a base64 value.
echo -n 'sensitive_data' | base64
Change the sensitive_data placeholder with your username and password.
Decode the base64 data using the following command. Please remember, the base64 is not a secure one. Use the same command for encoding and finally add — decode option.
echo -n ‘cmFqYQ==’ | base64 --decode
Use the following YAML file to create a Secret. This secret contains the username and password for MySQL in a base64 encoded format.
apiVersion: v1 kind: Secret metadata: name: mysql-secret data: username: cmFqYQ== password: cmFqYTEyMzQ=
Save the above code as mysql-secrets.yaml. And execute the file using the following command.
kubectl apply -f mysql-secret.yaml
Now the secret is created. Next, we will inject this secret into MySQL Pod.
Inject Secrets to MySQL Pod:
The Pod definition code for MySQL is given below.
apiVersion: apps/v1 kind: Deployment metadata: name: mysql spec: selector: matchLabels: app: mysql template: metadata: labels: app: mysql spec: containers: - image: mysql:5.6 name: mysql env: - name: MYSQL_ROOT_PASSWORD value: password ports: - containerPort: 3306
Here we need to change the environment variable using the secrets. The below code contains how to use the secret value for username.
env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysql-secret key: password
1. Instead of value, you must use valueFrom.
2. In the valueFrom, Just mention the secret name and key name using the secretKeyRef.
Full code of MySQL Pod and Secrets injected given below.
A Secret is a Kubernetes object and used to store sensitive information in an encoded format. The Secrets are distributed. We can re-use them in many Pod definition files. Here we have seen various ways to create the Secrets. You can use any method. However, the declarative approach is very good for handling multiple values. Don’t bind the values directly in the Pod definition file. Instead, use secrets and inject the secret value in the Pod. I hope this tutorial will help you to use the Secrets in the Kubernetes cluster.