DEV Community

Cover image for Kubernetes Secrets | Secure Data Management
Labby for LabEx

Posted on

Kubernetes Secrets | Secure Data Management

Introduction

This article covers the following tech skills:

Skills Graph

In this lab, you will learn how to use Kubernetes Secrets to securely manage sensitive information such as passwords, API keys, and other confidential data. You will create a secret, use it in your application, and verify that the application is properly configured. Each step builds upon the previous one, so make sure you follow along carefully.

Create A Secret

In this step, you will create a Kubernetes Secret that contains a database password.

Create a file named my-secret.yaml with the following contents:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  password: dXNlcm5hbWU6cGFzc3dvcmQ=
Enter fullscreen mode Exit fullscreen mode

In this file, we specify the name of the Secret (my-secret), the type of data it contains (Opaque), and the actual data in Base64-encoded format.

Apply the Secret to your cluster by running the following command:

kubectl apply -f my-secret.yaml
Enter fullscreen mode Exit fullscreen mode

Verify that the Secret was created by running the following command:

kubectl get secrets
Enter fullscreen mode Exit fullscreen mode

You should see the my-secret Secret listed.
lab-configuring-apps-with-secrets-1

Use The Secret In Your Application

In this step, you will modify your application to use the my-secret Secret to retrieve the database password.

Create a file named my-app.yaml with the following contents:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: my-app
          image: nginx:latest
          env:
            - name: DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: my-secret
                  key: password
Enter fullscreen mode Exit fullscreen mode

In this file, we specify the name of the Deployment (my-app), the image to use (my-image), and the environment variable to set (DATABASE_PASSWORD). We also use a secretKeyRef to retrieve the password key from the my-secret Secret.

Apply the Deployment to your cluster by running the following command:

kubectl apply -f my-app.yaml
Enter fullscreen mode Exit fullscreen mode

Verify that the Deployment was created by running the following command:

kubectl get deployments
Enter fullscreen mode Exit fullscreen mode

You should see the my-app Deployment listed.
lab-configuring-apps-with-secrets-2

Verify The Configuration

In this step, you will verify that your application is properly configured with the database password from the my-secret Secret.

Find the name of the pod running your application by running the following command:

kubectl get pods -l app=my-app
Enter fullscreen mode Exit fullscreen mode

You should see a single pod running your application. Note the name of the pod.

Next, run the following command to open a shell session in the container running your application:

kubectl exec -it sh < pod-name > --
Enter fullscreen mode Exit fullscreen mode

Replace <pod-name> with the name of the pod that you noted earlier.

Once you are in the shell session, run the following command to print the value of the DATABASE_PASSWORD environment variable:

echo $DATABASE_PASSWORD
Enter fullscreen mode Exit fullscreen mode

You should see the database password that was retrieved from the my-secret Secret.
lab-configuring-apps-with-secrets-3

Mount The Secret As A Volume In A Pod

Now that we have created the secret, we can mount it as a volume in a pod. We will create a simple pod that reads the secret value from the mounted volume and outputs it to the console.

Create a file named pod.yaml with the following contents:

apiVersion: v1
kind: Pod
metadata:
  name: secret-pod
spec:
  containers:
    - name: secret-container
      image: nginx
      volumeMounts:
        - name: secret-volume
          mountPath: /etc/secret-volume
  volumes:
    - name: secret-volume
      secret:
        secretName: my-secret
Enter fullscreen mode Exit fullscreen mode

Apply the pod configuration:

kubectl apply -f pod.yaml
Enter fullscreen mode Exit fullscreen mode

Verify The Secret As A Volume In A Pod

In this step, you will verify that your application is properly configured with the database password from the my-secret Secret.

First, run the following command to open a shell session in the container running your application:

kubectl exec -it secret-pod -- sh
Enter fullscreen mode Exit fullscreen mode

Once you are in the shell session, run the following command to print the value:

cat /etc/secret-volume/password
Enter fullscreen mode Exit fullscreen mode

The output should be the value of the secret.
lab-configuring-apps-with-secrets-5

Summary

In this lab, we learned how to use Kubernetes secrets to store sensitive information and how to use them in a pod. Secrets provide a secure way to manage sensitive information and should be used whenever possible to avoid exposing secrets in plaintext.

MindMap


🚀 Practice Now: Configuring Apps with Secrets


Want to Learn More?

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay