Configuring Apps with Secrets

KubernetesKubernetesBeginner
Practice Now

Introduction

In this lab, you will learn how to use Kubernetes Secrets to securely manage sensitive information such as passwords, API keys, and other confidential data. You will create a secret, use it in your application, and verify that the application is properly configured. Each step builds upon the previous one, so make sure you follow along carefully.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL kubernetes(("`Kubernetes`")) -.-> kubernetes/TroubleshootingandDebuggingCommandsGroup(["`Troubleshooting and Debugging Commands`"]) kubernetes(("`Kubernetes`")) -.-> kubernetes/BasicCommandsGroup(["`Basic Commands`"]) kubernetes(("`Kubernetes`")) -.-> kubernetes/AdvancedCommandsGroup(["`Advanced Commands`"]) kubernetes/TroubleshootingandDebuggingCommandsGroup -.-> kubernetes/exec("`Exec`") kubernetes/BasicCommandsGroup -.-> kubernetes/get("`Get`") kubernetes/AdvancedCommandsGroup -.-> kubernetes/apply("`Apply`") subgraph Lab Skills kubernetes/exec -.-> lab-8448{{"`Configuring Apps with Secrets`"}} kubernetes/get -.-> lab-8448{{"`Configuring Apps with Secrets`"}} kubernetes/apply -.-> lab-8448{{"`Configuring Apps with Secrets`"}} end

Create A Secret

In this step, you will create a Kubernetes Secret that contains a database password.

Create a file named my-secret.yaml with the following contents:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  password: dXNlcm5hbWU6cGFzc3dvcmQ=

In this file, we specify the name of the Secret (my-secret), the type of data it contains (Opaque), and the actual data in Base64-encoded format.

Apply the Secret to your cluster by running the following command:

kubectl apply -f my-secret.yaml

Verify that the Secret was created by running the following command:

kubectl get secrets

You should see the my-secret Secret listed.
lab-configuring-apps-with-secrets-1

Use The Secret In Your Application

In this step, you will modify your application to use the my-secret Secret to retrieve the database password.

Create a file named my-app.yaml with the following contents:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: my-app
          image: nginx:latest
          env:
            - name: DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: my-secret
                  key: password

In this file, we specify the name of the Deployment (my-app), the image to use (my-image), and the environment variable to set (DATABASE_PASSWORD). We also use a secretKeyRef to retrieve the password key from the my-secret Secret.

Apply the Deployment to your cluster by running the following command:

kubectl apply -f my-app.yaml

Verify that the Deployment was created by running the following command:

kubectl get deployments

You should see the my-app Deployment listed.
lab-configuring-apps-with-secrets-2

Verify The Configuration

In this step, you will verify that your application is properly configured with the database password from the my-secret Secret.

Find the name of the pod running your application by running the following command:

kubectl get pods -l app=my-app

You should see a single pod running your application. Note the name of the pod.

Next, run the following command to open a shell session in the container running your application:

kubectl exec -it sh < pod-name > --

Replace <pod-name> with the name of the pod that you noted earlier.

Once you are in the shell session, run the following command to print the value of the DATABASE_PASSWORD environment variable:

echo $DATABASE_PASSWORD

You should see the database password that was retrieved from the my-secret Secret.
lab-configuring-apps-with-secrets-3

Mount The Secret As A Volume In A Pod

Now that we have created the secret, we can mount it as a volume in a pod. We will create a simple pod that reads the secret value from the mounted volume and outputs it to the console.

Create a file named pod.yaml with the following contents:

apiVersion: v1
kind: Pod
metadata:
  name: secret-pod
spec:
  containers:
    - name: secret-container
      image: nginx
      volumeMounts:
        - name: secret-volume
          mountPath: /etc/secret-volume
  volumes:
    - name: secret-volume
      secret:
        secretName: my-secret

Apply the pod configuration:

kubectl apply -f pod.yaml

Verify The Secret As A Volume In A Pod

In this step, you will verify that your application is properly configured with the database password from the my-secret Secret.

First, run the following command to open a shell session in the container running your application:

kubectl exec -it secret-pod -- sh

Once you are in the shell session, run the following command to print the value:

cat /etc/secret-volume/password

The output should be the value of the secret.
lab-configuring-apps-with-secrets-5

Summary

In this lab, we learned how to use Kubernetes secrets to store sensitive information and how to use them in a pod. Secrets provide a secure way to manage sensitive information and should be used whenever possible to avoid exposing secrets in plaintext.

Other Kubernetes Tutorials you may like