Adding a secret to an application
The aim of this guide is to walkthrough the process of adding a secret (in this example, AWS credentials) to a previously deployed application in the Cloud Platform.
This article walks you through the process of creating a secret manually. In practice, many of the secrets you will use in your applications are created automatically (e.g. database credentials).
Pre-requisites
This guide assumes the following:
- You have created a namespace. See Creating a Cloud Platform Environment
- You have deployed your application. See Deploying an application to the Cloud-Platform
- Your application is running. See Interacting with the application
Configuring secrets
This article covers encoding values into kubernetes secret objects.
See kuberenetes using secrets as environment variables for detailed information on providing values from kubernetes secrets to pods.
Create your AWS Credentials access key (making a note of the aws_access_key_id and aws_secret_access_key)
Base64-encode your secret
In this example aws_access_key_id is ‘AKIAFTKSAW15HJLOGD’. Issue the following command to base64-encode:
echo -n 'AKIAFTKSAW15HJLOGD' | base64
This will return the encoded id ‘QUtJQUZUS1NBVzE1SEpMT0dE’
In this example the aws_secret_access_key is ‘G8HJPMHVGFHK4547GFDSHHJJ’. Issue the following command to base64-encode:
echo -n 'G8HJPMHVGFHK4547GFDSHHJJ' | base64
This will return the encoded secret ‘RzhISlBNSFZHRkhLNDU0N0dGRFNISEpK’
Creating the secret
Create a secrets.yaml file similar to:
apiVersion: v1
kind: Secret
metadata:
name: demosecret
type: Opaque
data:
aws_access_key_id: QUtJQUZUS1NBVzE1SEpMT0dE
aws_secret_access_key: RzhISlBNSFZHRkhLNDU0N0dGRFNISEpK
issue the following command:
$ kubectl -n yournamespace apply -f secrets.yaml
secret "demosecret" created
Listing the secrets in a namespace
$ kubectl -n yournamespace get secrets
NAME TYPE DATA AGE
default-token-hz7z7 kubernetes.io/service-account-token 3 26d
demosecret Opaque 2 5d
Updating the secret
You can update an existing secrets file by creating a secrets.yaml file, updating secret name to point to an existing secret and appending new entries to the file.
Decoding a secret
Secrets can be retrieved via the kubectl get secret command. For example, to retrieve the secret you created:
$ kubectl -n yournamespace get secret demosecret -o yaml
apiVersion: v1
data:
aws_access_key_id: QUtJQUZUS1NBVzE1SEpMT0dE
aws_secret_access_key: RzhISlBNSFZHRkhLNDU0N0dGRFNISEpK
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"aws_access_key_id":"QUtJQUZUS1NBVzE1SEpMT0dE","aws_secret_access_key":"RzhISlBNSFZHRkhLNDU0N0dGRFNISEpK"},"kind":"Secret","metadata":{"annotations":{},"name":"demosecret","namespace":"yournamespace"},"type":"Opaque"}
creationTimestamp: "2020-04-28T14:24:27Z"
name: demosecret
namespace: yournamespace
resourceVersion: "239748077"
selfLink: /api/v1/namespaces/dstest/secrets/demosecret
uid: 5bd08c63-5f29-452f-a0ec-4d26404411e6
type: Opaque
In this case, the values will be shown Base64-encoded
You can also use the cloud-platform
CLI tool to view and Base64-decode the secret, like this:
cloud-platform decode-secret -n yournamespace -s demosecret
This will output the secret as JSON, with the values base64-decoded.
Using the secret in your applications
To use a secret you need to tell kubernetes to put its value in an environment variable which your application container can access. You will usually specify this in your application’s deployment.yaml
file.
The following example sets an AWS_ACCESS_KEY_ID
environment variable in the environment of the django-demo-container
.
The value of AWS_ACCESS_KEY_ID
comes from the secret called demosecret
which is a hash with a key called aws_access_key_id
, and the value of that key will become the value of the environment variable AWS_ACCESS_KEY_ID
.
spec:
containers:
- name: django-demo-container
image: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/cloud-platform-reference-app:django
ports:
- containerPort: 8000
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: demosecret
key: aws_access_key_id
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: demosecret
key: aws_secret_access_key
When you reference a secret in this way, kubernetes takes care of the base64-decoding for you - you don’t need to base64-decode the value in your code.