Cheat Sheet: Kubernetes Secrets

Nothing fancy here, just a cheat sheet. I get tired of searching the Kubernetes docs for certain things and really just wanted it in one place…so…yea…this happened.

Environmental Variables: Creation

IMPERATIVE

$ kubectl run nginx --image nginx --env=user=mcclane --env=pass=yippeekiyay

DECLARATIVE 

apiVersion: v1
kind: Pod
metadata:
  labels:
  name: nginxenv 
spec:
  containers:
  - image: nginx
    name: nginx
    env: 
    - name: DB_USER
      value: gruber
    - name: DB_PASS
      value: nakatomi

Secrets: Creation

DOCKER-REGISTRY: IMPERATIVE

$ kubectl create secret docker-registry docker-login \
  --docker-server=docker.io \
  --docker-username=gruber \
  --docker-password=iamhansgruber \
  --docker-email=hans.gruber@diehard.com

DOCKER-REGISTRY: DECLARATIVE

apiVersion: v1
data:
  .dockerconfigjson: eyJhdXRocyI6eyJkb2NrZXIuaW8iOnsidXNlcm5hbWUiOiJncnViZXIiLCJwYXNzd29yZCI6ImlhbWhhbnNncnViZXIiLCJlbWFpbCI6ImhhbnMuZ3J1YmVyQGRpZWhhcmQuY29tIiwiYXV0aCI6IlozSjFZbVZ5T21saGJXaGhibk5uY25WaVpYST0ifX19
kind: Secret
metadata:
  name: docker-login
  namespace: default
type: kubernetes.io/dockerconfigjson

GENERIC: IMPERATIVE LITERALS

$ kubectl create secret generic my-secret \
  --from-literal=username=gruber \
  --from-literal=password=iamhansgruber

GENERIC: IMPERATIVE FROM FILE

NOTE: Remember, when using a file that the key will be the name of the file used. In this cae, db-info is the key and will contain the entire contents of the db-info file.

$ kubectl create secret generic db-info --from-file db-info

GENERIC: IMPERATIVE FROM ENV FILE

This will load the contents of the file, but unlike –from-file, it will load each line as a new entry in the data field.

$ kubectl create secret generic env-secret --from-env-file db.env

GENERIC: DECLARATIVE

apiVersion: v1
data:
  password: aWFtaGFuc2dydWJlcg==
  username: Z3J1YmVy
kind: Secret
metadata:
  name: my-secret
  namespace: default
type: Opaque

TLS: IMPERATIVE

apiVersion: v1
kind: Secret
metadata:
  name: secret-tls
type: kubernetes.io/tls
data:
  tls.crt: |
        MIIC2DCCAdDDgCwIAAgICAGANBgkqh ...
  tls.key: |
        MIIEpgIBCCKCAQFE8yn3bRHQ5FHMQ ...

TLS: DECLARATIVE

$ kubectl create secret tls tls-secret \
  --cert=path/to/cert/file.pem \
  --key=path/to/key/file.key

Mount a Secret in a Pod

As a Volume

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: nginxsec
  name: nginxsec
spec:
  containers:
  - image: nginx
    name: nginxsec
    volumeMounts:
    - name: secret
      mountPath: /tmp
  volumes: 
  - name: secret
    secret:
      secretName: my-secret
  restartPolicy: Always

Secrets as Environment Variables [Individual]

apiVersion: v1
kind: Pod
metadata:
  labels:
  name: nginxenv
spec:
  containers:
  - image: nginx
    name: nginx
    env: 
    - name: DB_USER
      valueFrom:
        secretKeyRef:
          name: pod-secret
          key: username

Secrets as Environment Variables [–from-env-file]

apiVersion: v1
kind: Pod
metadata:
  labels:
  name: nginxenv
spec:
  containers:
  - image: nginx
    name: nginx
    envFrom: 
    - secretRef:
        name: pod-secret