DEV Community

Cover image for #055 Kubernetes - Secretes
Omar
Omar

Posted on

#055 Kubernetes - Secretes

Secretes

ATCD is the database where master save data about nodes , so the secret will be created in ATCD encrypted , and he didn't put it in any Node until a pod need to use it. There is a resource to read it and it is a must to read before continue this article this is the link to the design of secretes read it and came back -> here

Files

the files also can be found in the DevOpsRepo in my github , if you already have it just pull it.

#app_055-cf.yml
apiVersion: v1
kind: ConfigMap
metadata:
        name: configs
data:
        LANGUAGE: Polish
Enter fullscreen mode Exit fullscreen mode
#app_055-sec.yml
apiVersion: v1
kind: Secret 
metadata:
        name: configs-sec
data:
        API_KEY: MzMzLTQ0NC01NTUK 
Enter fullscreen mode Exit fullscreen mode
#app_055.yml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: envtest
spec:
  selector:
    matchLabels:
      name: envtest
  replicas: 1
  template:
    metadata:
      labels:
        name: envtest
    spec:
      containers:
      - name: envtest
        image: praqma/secrets-demo
        imagePullPolicy: Always
        ports:
        - containerPort: 3000
        env:
        - name: LANGUAGE
          valueFrom:
            configMapKeyRef:
              name: configs
              key: LANGUAGE
        - name: API_KEY
          valueFrom:
            secretKeyRef:
              name: configs-sec
              key: API_KEY
Enter fullscreen mode Exit fullscreen mode

Lab

Will the ApiKey is a secret in fact , so we should put it in secret configs.
to convert our keys to an encryption we use this command on Linux

echo "333-444-555" | base64
//output : MzMzLTQ0NC01NTUK
Enter fullscreen mode Exit fullscreen mode

create

kubectl create -f app_055-sec.yml 
kubectl create -f app_055-cf.yml 
kubectl apply -f app_055.yml 
Enter fullscreen mode Exit fullscreen mode

then port-forward to 3000

kubectl port-forward envtest-767745d7b4-s6ld7 3000
Enter fullscreen mode Exit fullscreen mode

working

Top comments (4)

Collapse
 
csgeek profile image
csgeek

The main issue i have with secrets right now, is that in order to save my k8 deployment I'd have to check the secrets into version control with the rest of my yaml files that describe my cluster. Even if they're base64 encoded, that's not really encrypted, obfuscated at best and you can always decode it with base64 -d

Thanks for the tutorial otherwise. :)

Collapse
 
omarkhatib profile image
Omar

you can git ignore it and push a template for it only.

Collapse
 
csgeek profile image
csgeek

Sure, but the secrets database has to live somewhere besides your local laptop. Especially if you're doing hundreds of services with a variety of API keys and password for various dev/qa/production environments.

Thread Thread
 
omarkhatib profile image
Omar

I don't know how if kuberenetes have a way to do it.
Do you have a solution for it using kubernetes?