Skip to content

Secrets

Kubernetes secret objects let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. Putting this information in a secret is safer and more flexible than putting it verbatim in a Pod definition or in a container image.

A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in an image; putting it in a Secret object allows for more control over how it is used, and reduces the risk of accidental exposure.

Resources

Image Pull Secrets

Secret Commands

References

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
stringData:
  admin: administrator
apiVersion: v1
kind: Secret
metadata:
  name: mysecret-config
type: Opaque
stringData:
  config.yaml: |-
    apiUrl: "https://my.api.com/api/v1"
    username: token
    password: thesecrettoken
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
    - name: my-app
      image: bitnami/nginx
      ports:
        - containerPort: 8080
      env:
        - name: SECRET_USERNAME
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: username
      envFrom:
        - secretRef:
            name: mysecret
      volumeMounts:
        - name: config
          mountPath: "/etc/secrets"
  volumes:
    - name: config
      secret:
        secretName: mysecret-config

Create files needed for rest of example

echo -n 'admin' > ./username.txt
echo -n '1f2d1e2e67df' > ./password.txt

Creating Secret from files

oc create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt

Getting Secret

oc get secrets

Gets the Secret's Description

oc describe secrets/db-user-pass

Create files needed for rest of example

echo -n 'admin' > ./username.txt
echo -n '1f2d1e2e67df' > ./password.txt
Creates the Secret from the files
kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
Gets the Secret
kubectl get secrets
Gets the Secret's Description
kubectl describe secrets/db-user-pass