Secrets Use Case:

Assume we are planning to deploy a MySQL Pod in the Kubernetes cluster. MySQL requires much sensitive information such as host IP address, database name, username, and password. We can create a Pod for MySQL using the mentioned information as a Kubernetes Deployment definition file. In this scenario, the configuration information such as username, password, database name is tightly coupled with the Pod definition. And they are easily visible to all developers who had access to the Pod definition file.

In this approach, we are facing two problems.

1. The sensitive information is tightly coupled with Pod and we can not re-use them( means each time we have to type the credentials separately). And updating the credentials is also a tedious task. Why because we need to change the information in each definition file. This approach is not a centralised one.

2. And the sensitive information is visible to all developers who had access to the Pod definition file.

The above-mentioned problems can be easily solved using the Secrets. The Secrets can be re-used and distributed in the Kubernetes cluster.

While using Secrets in the Kubernetes cluster, we will do two activities.

1. Create Secret.

2. Inject the Secret into Pod.

In this tutorial, we will see the following topics.

1. Get a Secret list

2. Create Secret using Imperative way.

3. Create Secret using a Declarative way.

4. Create Secret for MySQL database.

5. Inject Secrets to MySQL Pod.

Get Secrets list:

Use the following command to get the list of secrets present in the current Kubernetes namespace.

1kubectl get secrets

Use the describe command to know more about the Secrets in the Kubernetes cluster. This command will list all the secrets.

1kubectl describe secrets

If you want to know the particular secret then use the following command.

1kubectl get secret secret_name -o yaml
2#Example
3kubectl get secret mysql-secrets -o yaml

The above command displays the full yaml file definition used for creating the Secret in Kubernetes.

Create Secret using Imperative way:

We can create the secrets using the kubectl create secret command. The syntax for creating the secret using the imperative method is given below.

1kubectl create secret generic secret-name --from-literal=key=value

Create a username secret using the following command.

1kubectl create secret generic demo-secret --from-literal=username=raja

If you want to use multiple key-value pairs then use — from-literal option.

1kubectl create secret generic demo-secret --from-literal=username=raja \
2 --from-literal=pasword=raja1234

In the imperative method, we have not encoded the data(username and password). However, if you look at the YAML file, the data will be shown as base64 encoded format

1kubectl get secret demo-secret -o yaml

Create Secret using Declarative way:

The syntax for creating the Secrets using the Declarative method is given below.

1apiVersion: v1
2kind: Secret
3metadata:
4   name: secret-name
5data:
6   key1: encoded_value1
7   key2: encoded_value2

Encode the data using the following commands on Mac/Linux. Or use any online tool to convert data to base64.

1echo -n 'your_data' | base64
2#Example
3echo -n 'raja' | base64

注意:这里的-n不能去掉,不然生成的secret内容里会有换行符,这样在程序调用时,会发现密码一直不对。

Create a file and name it as demo-secrets.yaml. And paste the below code in the file.

1apiVersion: v1
2kind: Secret
3metadata:
4   name: demo-secret2
5data:
6   username: cmFqYQ==
7   password: cmFqYTEyMzQ=

1. The data section is used to define the key-value pair.

2. By default the type is Opaque. It means key-value pair secret.

Execute the file using the following command.

1kubectl apply -f demo-secrets.yaml

Now the secret is created. Get the secrets list using the kubectl command.

1kubectl get secrets

Create Secret for MySQL database:

For the demonstration purpose, I am going to create a Pod for the MySQL database. For MySQL, we had two sensitive information such as username and password. So we are going to encode the username and password using the base64 method. However, base64 is not a secure way to store sensitive information. It is an introduction article. So I planned to give a basic idea about Secrets in the Kubernetes cluster. In the future, we will see how to handle sensitive information in a better way using HashiCorp Vault.

We can encode the data to base64 using the Linux command-line tool. The command works both in Mac and Linux. Use the following command to create a base64 value.

1echo -n 'sensitive_data' | base64

Change the sensitive_data placeholder with your username and password.

Decode the base64 data using the following command. Please remember, the base64 is not a secure one. Use the same command for encoding and finally add — decode option.

1echo -n ‘cmFqYQ==’ | base64 --decode

Use the following YAML file to create a Secret. This secret contains the username and password for MySQL in a base64 encoded format.

1apiVersion: v1
2kind: Secret
3metadata:
4   name: mysql-secret
5data:
6   username: cmFqYQ==
7   password: cmFqYTEyMzQ=

Save the above code as mysql-secrets.yaml. And execute the file using the following command.

1kubectl apply -f mysql-secret.yaml

Now the secret is created. Next, we will inject this secret into MySQL Pod.

Inject Secrets to MySQL Pod:

The Pod definition code for MySQL is given below.

 1apiVersion: apps/v1
 2kind: Deployment
 3metadata:
 4  name: mysql
 5spec:
 6  selector:
 7    matchLabels:
 8      app: mysql
 9
10  template:
11    metadata:
12      labels:
13        app: mysql
14    spec:
15      containers:
16      - image: mysql:5.6
17        name: mysql
18        env:
19        - name: MYSQL_ROOT_PASSWORD
20          value: password
21        ports:
22        - containerPort: 3306

Here we need to change the environment variable using the secrets. The below code contains how to use the secret value for username.

1env:
2- name: MYSQL_ROOT_PASSWORD
3  valueFrom:
4     secretKeyRef:
5        name: mysql-secret
6        key: password

1. Instead of value, you must use valueFrom.

2. In the valueFrom, Just mention the secret name and key name using the secretKeyRef.

Full code of MySQL Pod and Secrets injected given below.

Summary:

A Secret is a Kubernetes object and used to store sensitive information in an encoded format. The Secrets are distributed. We can re-use them in many Pod definition files. Here we have seen various ways to create the Secrets. You can use any method. However, the declarative approach is very good for handling multiple values. Don’t bind the values directly in the Pod definition file. Instead, use secrets and inject the secret value in the Pod. I hope this tutorial will help you to use the Secrets in the Kubernetes cluster.