Using Kubernetes Secrets in Applications
Kubernetes Secrets are a powerful feature that allow you to securely store and manage sensitive data, such as passwords, API keys, or certificates, within your Kubernetes cluster. These secrets can then be easily consumed by your applications, ensuring that sensitive information is not exposed in your application code or configuration files.
Understanding Kubernetes Secrets
Kubernetes Secrets are similar to environment variables, but they are stored and managed by the Kubernetes API server, rather than being embedded in your application's code or configuration files. This provides several benefits:
- Security: Secrets are stored in an encrypted format, ensuring that sensitive data is not exposed in plain text.
- Flexibility: Secrets can be easily updated and rotated without the need to rebuild or redeploy your application.
- Scalability: Secrets can be shared across multiple applications or pods, reducing the need to manage sensitive data in multiple places.
Creating and Storing Secrets
To create a Kubernetes Secret, you can use the kubectl
command-line tool or the Kubernetes API directly. Here's an example of creating a Secret using kubectl
:
kubectl create secret generic my-secret \
--from-literal=username=myuser \
--from-literal=password=mypassword
This creates a Secret named my-secret
with two key-value pairs: username=myuser
and password=mypassword
.
You can also create Secrets from a file, which is useful for storing larger pieces of sensitive data, such as SSL/TLS certificates or API keys:
kubectl create secret generic my-tls-secret \
--from-file=tls.crt=path/to/tls.crt \
--from-file=tls.key=path/to/tls.key
This creates a Secret named my-tls-secret
with two keys: tls.crt
and tls.key
, which contain the contents of the specified files.
Consuming Secrets in Applications
Once you have created a Secret, you can mount it as a volume or expose it as environment variables in your application's pods. Here's an example of how to mount a Secret as a volume:
apiVersion: v1
kind: Pod
metadata:
name: my-app
spec:
containers:
- name: my-app
image: my-app:v1
volumeMounts:
- name: secret-volume
mountPath: /etc/secrets
volumes:
- name: secret-volume
secret:
secretName: my-secret
In this example, the my-secret
Secret is mounted as a volume at the /etc/secrets
path within the container. Your application can then access the sensitive data by reading the files in this directory.
Alternatively, you can expose the Secret as environment variables:
apiVersion: v1
kind: Pod
metadata:
name: my-app
spec:
containers:
- name: my-app
image: my-app:v1
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: my-secret
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: my-secret
key: password
In this example, the username
and password
values from the my-secret
Secret are exposed as environment variables USERNAME
and PASSWORD
, respectively.
Updating and Rotating Secrets
Kubernetes Secrets can be easily updated and rotated without the need to rebuild or redeploy your application. To update a Secret, you can use the kubectl
command-line tool or the Kubernetes API directly:
kubectl create secret generic my-secret \
--from-literal=username=newuser \
--from-literal=password=newpassword \
--dry-run=client -o yaml | kubectl apply -f -
This creates a new version of the my-secret
Secret with updated username
and password
values. When you update a Secret, the new values will be automatically picked up by your application's pods, as long as they are using the same Secret.
To rotate a Secret, you can create a new version of the Secret with the updated values, and then update your application's pods to use the new Secret. This can be done without downtime, as the application will continue to use the old Secret until the new one is available.
Conclusion
Kubernetes Secrets are a powerful feature that allow you to securely store and manage sensitive data within your Kubernetes cluster. By using Secrets, you can ensure that sensitive information is not exposed in your application's code or configuration files, and you can easily update and rotate these secrets without the need to rebuild or redeploy your application.