Tuesday, 4 August 2020

Kubernetes: Secrets

Secrets are a special type of volume used to store Application Sensitive Information like password, Authentication tokens etc.,.

 

Are the secrets encrypted?

No, Secrets are not encrypted. They are encoded using the Base64 Encoding scheme.

 

Secrets types

a. docker-registry: Used to connect to a Docker Registry.

 

b. TLS: Create a TLS Secret.

 

c. generic: Create a secret from local file, directory or literal value.

 

How to create secrets?

Creation of secret almost similar to the creation of configmaps.

 

You can create a secret from file or using literal values.

 

Let’s create a file 'token' with the below information.

 

token

AAAAASSSSSSSAsw1111112222343fsafklsjfkdjkhsjhajhvaua!!!QWER

 

Let’s create a secret of type ‘generic’ and name ‘user-service-secret’ by executing the below command.

 

kubectl create secret generic user-service-secret --from-file=authToken=./token --from-literal=password=pasd5432s123

$kubectl create secret generic user-service-secret --from-file=authToken=./token --from-literal=password=pasd5432s123
secret/user-service-secret created

Let’s query secrets by executing the below command.

$kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-w7rp7   kubernetes.io/service-account-token   3      33d
user-service-secret   Opaque                                2      101s

As you see the output, secret with the name ‘user-service-secret’ is created.

 

Using ‘-o yaml’ option, you can see the content of secret (but in base64 encoded form).

$kubectl get secret user-service-secret -o yaml
apiVersion: v1
data:
  authToken: QUFBQUFTU1NTU1NTQXN3MTExMTExMjIyMjM0M2ZzYWZrbHNqZmtkamtoc2poYWpodmF1YSEhIVFXRVIK
  password: cGFzZDU0MzJzMTIz
kind: Secret
metadata:
  creationTimestamp: "2020-06-08T15:17:59Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:authToken: {}
        f:password: {}
      f:type: {}
    manager: kubectl
    operation: Update
    time: "2020-06-08T15:17:59Z"
  name: user-service-secret
  namespace: default
  resourceVersion: "337591"
  selfLink: /api/v1/namespaces/default/secrets/user-service-secret
  uid: 23110053-dd1c-4798-a7e8-987f226b5b0c
type: Opaque

You can decode the encoded string using the base64 command.

$echo cGFzZDU0MzJzMTIz | base64 -D
pasd5432s123

How to read secrets?

You can read secrets in two ways.

a.   Using Environment Variables.

b.   Mounted as Volumes

 

secretsDemo.yml

apiVersion: v1
kind: Pod
metadata:
  name: secrets-demo-pod1
  labels:
    app: user-service
    author: krishna
    serviceType: desktop
spec:
  containers:
    - name: user-service
      image: jboss/wildfly
      volumeMounts:
      - mountPath: /etc/secrets
        name: service-secrets

  volumes:
  - name: service-secrets
    secret:
      secretName: user-service-secret

$kubectl create -f secretsDemo.yml 
pod/secrets-demo-pod1 created

Let’s login to the container and check whether secrets mounted or not.

 

kubectl exec -it secrets-demo-pod1 -c user-service -- /bin/bash

$kubectl exec -it secrets-demo-pod1 -c user-service -- /bin/bash
[jboss@secrets-demo-pod1 ~]$ 
[jboss@secrets-demo-pod1 ~]$ ls /etc/secrets/
authToken  password

As you see the output, each secret is mounted as a file. File content has the actual value.

[jboss@secrets-demo-pod1 ~]$ cat /etc/secrets/authToken 
AAAAASSSSSSSAsw1111112222343fsafklsjfkdjkhsjhajhvaua!!!QWER
[jboss@secrets-demo-pod1 ~]$ 
[jboss@secrets-demo-pod1 ~]$ cat /etc/secrets/password  
pasd5432s123

Reading secrets as environment Variables

You can even read secrets as environment variables.

 

secretsDemo2.yml

apiVersion: v1
kind: Pod
metadata:
  name: secrets-demo-pod2
  labels:
    app: user-service
    author: krishna
    serviceType: desktop
spec:
  containers:
    - name: user-service
      image: busybox
      command: ["/bin/sh", "-c", "env"]
      envFrom:
        - secretRef:
            name: user-service-secret

Create Pod using the above definition file.

$kubectl create -f secretsDemo2.yml 
pod/secrets-demo-pod2 created

Check the logs to confirm that secrets available in environment variables.

$kubectl logs secrets-demo-pod2
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
authToken=AAAAASSSSSSSAsw1111112222343fsafklsjfkdjkhsjhajhvaua!!!QWER

HOSTNAME=secrets-demo-pod2
SHLVL=1
HOME=/root
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
password=pasd5432s123
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
$

Note

a.   If you want to create a secret using YAML definition file, you must encode the secret before putting it. Kubernetes do not encode the secret if you create via yaml definition file.




Previous                                                    Next                                                    Home

No comments:

Post a Comment