Kubernetes and secrets is always a difficult problem. I've got a super simple solution using AWS SSM today that we can use during our CI/CD pipeline to inject our secrets into our services. This is so simple and quick, that you might miss it, so I'll get to it.
First, log into AWS and open up Systems Manager. Go to Parameter Store, and create a new Parameter. The parameter type needs to be SecureString, feel free to name it whatever you like; I like to go with /<cloud_provider>/k8s/<application>/<environment>. Add the contents of secret.yaml as the parameter's value.
apiVersion: v1
kind: Secret
metadata:
name: wp-secrets
namespace: wp-custom-domain
data:
wordpress_db_password: QXdm .. mRUg=
Secondly, jump into your CI configuration and add the following as a step prior to creating your Kubernetes Deployment.
# create secrets
# /do/k8s/$APP_TYPE/$CI_ENVIRONMENT_NAME
aws ssm get-parameters-by-path \
--path "/${CLOUD_PROVIDER}/k8s/${APP_TYPE}/" \
--query "Parameters[?Name==\`/do/k8s/${APP_TYPE}/${CI_ENVIRONMENT_NAME}\`].Value" \
--with-decryption --output text | kubectl apply -f -
Finally, configure your Deployment spec to include the value of the secret using the valueFrom directive.
spec:
containers:
- name: wordpress
image: _/wordpress:5.3.2
env:
- name: WORDPRESS_DB_PASSWORD
valueFrom:
secretKeyRef:
name: wp-secrets
key: wordpress_db_password
The only thing you need to do now is run your CI Deployment and your secrets will be available in Kubernetes! See, I told you it was simple! This is a simple, yet effective way to deploy secrets into your environment while keeping them out of source code.
Top comments (1)
Thanks for the article. Just keep in your mind that get-parameters-by-path can return maximum 10 items. If there are more than 10 secret, NextToken should be used to fetch iteratively. the details are
docs.aws.amazon.com/systems-manage... and docs.aws.amazon.com/cli/latest/use...