#055 Kubernetes - Secretes

Secretes

ATCD is the database where master save data about nodes , so the secret will be created in ATCD encrypted , and he didn't put it in any Node until a pod need to use it. There is a resource to read it and it is a must to read before continue this article this is the link to the design of secretes read it and came back -> here

Files

the files also can be found in the DevOpsRepo in my github , if you already have it just pull it.

#app_055-cf.yml
apiVersion: v1
kind: ConfigMap
metadata:
        name: configs
data:
        LANGUAGE: Polish

#app_055-sec.yml
apiVersion: v1
kind: Secret 
metadata:
        name: configs-sec
data:
        API_KEY: MzMzLTQ0NC01NTUK 

#app_055.yml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: envtest
spec:
  selector:
    matchLabels:
      name: envtest
  replicas: 1
  template:
    metadata:
      labels:
        name: envtest
    spec:
      containers:
      - name: envtest
        image: praqma/secrets-demo
        imagePullPolicy: Always
        ports:
        - containerPort: 3000
        env:
        - name: LANGUAGE
          valueFrom:
            configMapKeyRef:
              name: configs
              key: LANGUAGE
        - name: API_KEY
          valueFrom:
            secretKeyRef:
              name: configs-sec
              key: API_KEY

Lab

Will the ApiKey is a secret in fact , so we should put it in secret configs.
to convert our keys to an encryption we use this command on Linux

echo "333-444-555" | base64
//output : MzMzLTQ0NC01NTUK

kubectl create -f app_055-sec.yml 
kubectl create -f app_055-cf.yml 
kubectl apply -f app_055.yml 

then port-forward to 3000

kubectl port-forward envtest-767745d7b4-s6ld7 3000

Comments

[csgeek]

The main issue i have with secrets right now, is that in order to save my k8 deployment I'd have to check the secrets into version control with the rest of my yaml files that describe my cluster. Even if they're base64 encoded, that's not really encrypted, obfuscated at best and you can always decode it with base64 -d

Thanks for the tutorial otherwise. :)

[Omar]

you can git ignore it and push a template for it only.

[csgeek]

Sure, but the secrets database has to live somewhere besides your local laptop. Especially if you're doing hundreds of services with a variety of API keys and password for various dev/qa/production environments.

[Omar]

I don't know how if kuberenetes have a way to do it.
Do you have a solution for it using kubernetes?