How to use secrets as environment variables

KubernetesKubernetesBeginner
Practice Now

Introduction

Kubernetes Secrets provide a secure way to store and manage sensitive data in your Kubernetes-based applications. This tutorial will guide you through the process of understanding Kubernetes Secrets, creating and configuring them, and injecting them into your Kubernetes workloads as environment variables.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL kubernetes(("`Kubernetes`")) -.-> kubernetes/TroubleshootingandDebuggingCommandsGroup(["`Troubleshooting and Debugging Commands`"]) kubernetes(("`Kubernetes`")) -.-> kubernetes/BasicCommandsGroup(["`Basic Commands`"]) kubernetes(("`Kubernetes`")) -.-> kubernetes/AdvancedCommandsGroup(["`Advanced Commands`"]) kubernetes(("`Kubernetes`")) -.-> kubernetes/ConfigurationandVersioningGroup(["`Configuration and Versioning`"]) kubernetes/TroubleshootingandDebuggingCommandsGroup -.-> kubernetes/describe("`Describe`") kubernetes/TroubleshootingandDebuggingCommandsGroup -.-> kubernetes/exec("`Exec`") kubernetes/BasicCommandsGroup -.-> kubernetes/create("`Create`") kubernetes/BasicCommandsGroup -.-> kubernetes/set("`Set`") kubernetes/AdvancedCommandsGroup -.-> kubernetes/apply("`Apply`") kubernetes/ConfigurationandVersioningGroup -.-> kubernetes/config("`Config`") subgraph Lab Skills kubernetes/describe -.-> lab-419038{{"`How to use secrets as environment variables`"}} kubernetes/exec -.-> lab-419038{{"`How to use secrets as environment variables`"}} kubernetes/create -.-> lab-419038{{"`How to use secrets as environment variables`"}} kubernetes/set -.-> lab-419038{{"`How to use secrets as environment variables`"}} kubernetes/apply -.-> lab-419038{{"`How to use secrets as environment variables`"}} kubernetes/config -.-> lab-419038{{"`How to use secrets as environment variables`"}} end

Understanding Kubernetes Secrets

Kubernetes Secrets are a built-in resource in the Kubernetes ecosystem that provide a secure way to store and manage sensitive data, such as passwords, API keys, and other confidential information. Secrets are designed to protect sensitive data from being exposed in your Kubernetes manifests or during the deployment process.

In Kubernetes, Secrets are stored as base64-encoded strings and can be accessed by authorized Pods or users. This ensures that the sensitive data is not stored in plain text, which could potentially lead to security breaches.

Kubernetes Secrets can be used in a variety of scenarios, such as:

  1. Database Credentials: Storing database connection strings, usernames, and passwords securely.
  2. API Keys: Storing API keys for external services, such as cloud providers or third-party APIs.
  3. SSL/TLS Certificates: Storing SSL/TLS certificates and private keys for secure communication.
  4. Other Sensitive Data: Storing any other sensitive data that should not be exposed in your Kubernetes manifests.

Here's an example of how to create a Kubernetes Secret using the kubectl command-line tool:

kubectl create secret generic my-secret \
  --from-literal=username=myuser \
  --from-literal=password=mypassword

In this example, we create a Secret named my-secret with two key-value pairs: username and password.

To verify the creation of the Secret, you can use the following command:

kubectl get secrets

This will list all the Secrets in your Kubernetes cluster, including the one you just created.

By understanding the basics of Kubernetes Secrets, you can effectively manage and secure sensitive data in your Kubernetes-based applications.

Creating and Configuring Kubernetes Secrets

Creating and configuring Kubernetes Secrets involves several steps to ensure that sensitive data is properly secured and managed within your Kubernetes cluster.

Creating Kubernetes Secrets

There are several ways to create Kubernetes Secrets, including using the kubectl command-line tool, Kubernetes manifests, and external tools like HashiCorp Vault or AWS Secrets Manager.

Using kubectl, you can create a Secret by running the following command:

kubectl create secret generic my-secret \
  --from-literal=username=myuser \
  --from-literal=password=mypassword

This will create a Secret named my-secret with two key-value pairs: username and password.

Alternatively, you can create a Secret using a Kubernetes manifest file. Here's an example:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  username: bXl1c2Vy
  password: bXlwYXNzd29yZA==

In this example, the data field contains the base64-encoded values for the username and password keys.

Configuring Kubernetes Secrets

Kubernetes Secrets support different types, each with its own use case. Some common Secret types include:

  • Opaque: Used for storing arbitrary user-defined data.
  • kubernetes.io/dockerconfigjson: Used for storing Docker registry credentials.
  • kubernetes.io/service-account-token: Used for storing service account tokens.

You can specify the Secret type when creating a Secret using the type field in the manifest.

Additionally, you can configure Kubernetes Secrets to be mounted as files or environment variables in your Pods, allowing your application to securely access the sensitive data.

By understanding the process of creating and configuring Kubernetes Secrets, you can effectively manage and secure sensitive data in your Kubernetes-based applications.

Injecting Secrets into Kubernetes Workloads

Once you have created and configured Kubernetes Secrets, the next step is to inject them into your Kubernetes workloads, such as Pods, Deployments, or StatefulSets. Kubernetes provides two main ways to inject Secrets into your applications: environment variables and volume mounts.

Injecting Secrets as Environment Variables

You can inject Secrets as environment variables in your Pods. This is a convenient way to make the sensitive data available to your application. Here's an example:

apiVersion: v1
kind: Pod
metadata:
  name: my-app
spec:
  containers:
  - name: my-container
    image: my-app:v1
    env:
    - name: USERNAME
      valueFrom:
        secretKeyRef:
          name: my-secret
          key: username
    - name: PASSWORD
      valueFrom:
        secretKeyRef:
          name: my-secret
          key: password

In this example, the USERNAME and PASSWORD environment variables are populated with the values from the my-secret Secret.

Injecting Secrets as Volume Mounts

Alternatively, you can mount Secrets as files in your Pods. This approach allows your application to read the sensitive data from the file system. Here's an example:

apiVersion: v1
kind: Pod
metadata:
  name: my-app
spec:
  containers:
  - name: my-container
    image: my-app:v1
    volumeMounts:
    - name: secret-volume
      mountPath: /etc/secrets
  volumes:
  - name: secret-volume
    secret:
      secretName: my-secret

In this example, the my-secret Secret is mounted as a volume at the /etc/secrets path within the container.

By understanding how to inject Secrets into your Kubernetes workloads, you can ensure that your sensitive data is securely accessed by your applications, reducing the risk of unauthorized access or exposure.

Summary

In this tutorial, you learned how to use Kubernetes Secrets to securely store and manage sensitive data, such as database credentials, API keys, and SSL/TLS certificates. You also learned how to create and configure Secrets, and how to inject them into your Kubernetes workloads as environment variables. By understanding and properly using Kubernetes Secrets, you can improve the security of your Kubernetes-based applications and protect sensitive data from being exposed.

Other Kubernetes Tutorials you may like