Omar

Posted on Aug 27, 2020

#055 Kubernetes - Secretes

#devops #tutorial #kubernetes

Secretes

ATCD is the database where master save data about nodes , so the secret will be created in ATCD encrypted , and he didn't put it in any Node until a pod need to use it. There is a resource to read it and it is a must to read before continue this article this is the link to the design of secretes read it and came back -> here

Files

the files also can be found in the DevOpsRepo in my github , if you already have it just pull it.

#app_055-cf.yml
apiVersion: v1
kind: ConfigMap
metadata:
        name: configs
data:
        LANGUAGE: Polish

#app_055-sec.yml
apiVersion: v1
kind: Secret 
metadata:
        name: configs-sec
data:
        API_KEY: MzMzLTQ0NC01NTUK

#app_055.yml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: envtest
spec:
  selector:
    matchLabels:
      name: envtest
  replicas: 1
  template:
    metadata:
      labels:
        name: envtest
    spec:
      containers:
      - name: envtest
        image: praqma/secrets-demo
        imagePullPolicy: Always
        ports:
        - containerPort: 3000
        env:
        - name: LANGUAGE
          valueFrom:
            configMapKeyRef:
              name: configs
              key: LANGUAGE
        - name: API_KEY
          valueFrom:
            secretKeyRef:
              name: configs-sec
              key: API_KEY

Lab

Will the ApiKey is a secret in fact , so we should put it in secret configs.
to convert our keys to an encryption we use this command on Linux

echo "333-444-555" | base64
//output : MzMzLTQ0NC01NTUK

kubectl create -f app_055-sec.yml 
kubectl create -f app_055-cf.yml 
kubectl apply -f app_055.yml

then port-forward to 3000

kubectl port-forward envtest-767745d7b4-s6ld7 3000

Top comments (4)

csgeek • Aug 27 '20

The main issue i have with secrets right now, is that in order to save my k8 deployment I'd have to check the secrets into version control with the rest of my yaml files that describe my cluster. Even if they're base64 encoded, that's not really encrypted, obfuscated at best and you can always decode it with base64 -d

Thanks for the tutorial otherwise. :)

Omar • Aug 27 '20

you can git ignore it and push a template for it only.

csgeek • Aug 27 '20

Sure, but the secrets database has to live somewhere besides your local laptop. Especially if you're doing hundreds of services with a variety of API keys and password for various dev/qa/production environments.

Omar • Aug 27 '20

I don't know how if kuberenetes have a way to do it.
Do you have a solution for it using kubernetes?

DEV Community

#055 Kubernetes - Secretes

Secretes

Files

Lab

Top comments (4)

Read next

Optimize Like a Pro: JavaScript Memory Techniques for Large Projects

Service Internal Traffic Policy in Kubernetes: Enhancing Cluster Traffic Management

FastAPI, Pydantic, Psycopg3: the holy trinity for Python web APIs

Load Testing PostgreSQL on Kubernetes: A YAML-Only Approach