DEV Community

Cover image for #055 Kubernetes - Secretes
Omar
Omar

Posted on

#055 Kubernetes - Secretes

#devops #tutorial #kubernetes

Secretes

ATCD is the database where master save data about nodes , so the secret will be created in ATCD encrypted , and he didn't put it in any Node until a pod need to use it. There is a resource to read it and it is a must to read before continue this article this is the link to the design of secretes read it and came back -> here

Files

the files also can be found in the DevOpsRepo in my github , if you already have it just pull it.

#app_055-cf.yml apiVersion: v1 kind: ConfigMap metadata: name: configs data: LANGUAGE: Polish
Enter fullscreen mode Exit fullscreen mode 
#app_055-sec.yml apiVersion: v1 kind: Secret metadata: name: configs-sec data: API_KEY: MzMzLTQ0NC01NTUK
Enter fullscreen mode Exit fullscreen mode 
#app_055.yml apiVersion: apps/v1 kind: Deployment metadata: name: envtest spec: selector: matchLabels: name: envtest replicas: 1 template: metadata: labels: name: envtest spec: containers: - name: envtest image: praqma/secrets-demo imagePullPolicy: Always ports: - containerPort: 3000 env: - name: LANGUAGE valueFrom: configMapKeyRef: name: configs key: LANGUAGE - name: API_KEY valueFrom: secretKeyRef: name: configs-sec key: API_KEY
Enter fullscreen mode Exit fullscreen mode

Lab

Will the ApiKey is a secret in fact , so we should put it in secret configs.
to convert our keys to an encryption we use this command on Linux

echo "333-444-555" | base64 //output : MzMzLTQ0NC01NTUK
Enter fullscreen mode Exit fullscreen mode

create

kubectl create -f app_055-sec.yml kubectl create -f app_055-cf.yml kubectl apply -f app_055.yml
Enter fullscreen mode Exit fullscreen mode

then port-forward to 3000

kubectl port-forward envtest-767745d7b4-s6ld7 3000
Enter fullscreen mode Exit fullscreen mode

working

Top comments (4)

Collapse
 
csgeek profile image
csgeek

The main issue i have with secrets right now, is that in order to save my k8 deployment I'd have to check the secrets into version control with the rest of my yaml files that describe my cluster. Even if they're base64 encoded, that's not really encrypted, obfuscated at best and you can always decode it with base64 -d

Thanks for the tutorial otherwise. :)

Collapse
 
omarkhatib profile image
Omar

you can git ignore it and push a template for it only.

Collapse
 
csgeek profile image
csgeek

Sure, but the secrets database has to live somewhere besides your local laptop. Especially if you're doing hundreds of services with a variety of API keys and password for various dev/qa/production environments.

Thread Thread
 
omarkhatib profile image
Omar

I don't know how if kuberenetes have a way to do it.
Do you have a solution for it using kubernetes?