# Kubernetes - Secret
###### tags: `Kubernetes`
## Foreword
> When you wnat to store some sensitive data in your Kubernetes cluster, you will need the "Secret" to help you.
> Secret usually store some sensitive data such as account of database, Access Token or SSH Key etc.
>
## Secret
### Definition
> Kubernetes Secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. Storing confidential information in a Secret is safer and more flexible than putting it verbatim in a Pod definition or in a container image.
>
### Ways to use Secrets
* As files in a volume mounted on one or more of its containers.
* As container environment variable.
* By the kubelet when pulling images for the Pod.
## Practice
### Create Secret
> We have three ways to import the sesitive data to Secert.
>
* From file
* By command
* Use Yaml file
#### From file
> We can save our data in the txt file. Then, we can use `kubrctl create` to create the Secret.
>
> We can save Account and Password to username.txt and password.txt.
>
```linux
$ echo -n "root" > ./username.txt
$ echo -n "password" > ./password.txt
```
> Then, we can use `kubectl create secret generic demo-seccret-file` to create Secret.
>
Message
```
$ kubectl create secret generic demo-seccret-file \
> --from-file=./username.txt \
> --from-file=./password.txt
secret/demo-seccret-file created
```
> Use `kubectl describe` to see `demo-seccret-file`.
>
> We can also use `kubectl get Secret` to see the Secret.
>
#### By Command
> We can use `kubectl create` and with `--from-literal` to create Secret.
>
```
$ kubectl create secret generic demo-secret-literal \
> --from-literal=username=root \
> --from-literal=password=password
secret "demo-secret-literal" created
```
> Use `kubectl describe secret demo-secret-literal` to see the Secret.
>
#### Use Yaml file
> When we use the Yaml to create Secret, we need to use base64 to encode password.
>
```linux
$ echo -n "root" | base64
cm9vdA==
$ echo -n "password" | base64
cGFzc3dvcmQ=
```
> Write the yaml file.
````yaml=1
apiVersion: v1
kind: Secret
metadata:
name: demo-secret-yaml
type: Opaque
data:
username: cm9vdA==
password: cGFzc3dvcmQ=
````
> Use `kubectl create` to create Secret.
>
````
$ kubectl create -f ./demo-secret.yaml
secret "demo-secret-yaml" created
````
### Use Secret
#### Volume mounted
> To consume a Secret in a volume, we need to add the volume in yaml file.
>
````yaml=1
apiVersion: v1
kind: Pod
metadata:
name: vm-pod
labels:
app: webserver
spec:
containers:
- name: demo-pod
image: nginx
ports:
- containerPort: 3000
volumeMounts:
- name: secret-volume
mountPath: /etc/creds
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: demo-secret-yaml
defaultMode: 0400
````
> In this yaml file. We can set the Secret permission. Then, the secret will be mounted on /etc/creds and all the files created by the secret volume mount will have permission 0400.
>
> Or you can also use mapping, as in the previous example, and specify different permissions for different files.
>
```yaml=1
apiVersion: v1
kind: Pod
metadata:
name: vm-pod
spec:
containers:
- name: mypod
image: nginx
volumeMounts:
- name: secret-volume
mountPath: "/etc/creds"
volumes:
- name: secret-volume
secret:
secretName: demo-secret-yaml
items:
- key: username
path: my-group/my-username
mode: 511
```
> In this case, the file resulting in `/etc/creds/my-group/my-username` will have permission value of 0777. If you use JSON, owing to JSON limitations, you must specify the mode in decimal notation, 511.
>
> Then use `kubectl apply -f ./demo-pod` to create a Pod.
>
> And we can use `kubectl exec` into the container to find our data in `/etc/creds`.
>
`kubectl exec -it demo-pod-mounting-secret -- bash`
> We can find our data in Pod.
>
#### Environment Variables
> Secrets can be exposed as environment variables to be used by a container in a Pod.
>
Example yaml file
```yaml=1
apiVersion: v1
kind: Pod
metadata:
name: ev-pod
labels:
app: webserver
spec:
containers:
- name: demo-pod
image: nginx
ports:
- containerPort: 3000
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: demo-secret-yaml
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: demo-secret-yaml
key: password
```
> Use `kubectl apply -f ./ev-pod.yml` to create Pod.
>
> We can see the environment varibles in the container.
> Then, use `kubectl exec` enter the contaioner.
>
`kubectl exec -it ev-pod -- bash`
## Reference
> https://kubernetes.io/docs/concepts/configuration/secret/
>
> https://ithelp.ithome.com.tw/articles/10195094
>
Sign in with Wallet
Connect another wallet