K8s Secrets Explained.

 What is Secrets in K8s?

Secrets are used to store sensitive information like Authentication Token, Passwords, SSH Keys and  Certificates.

It is stored in etcd, datastore of k8s.

The main advantage of the secret is that it can be updated dynamically , so if we want to change the username or password or ssh key of any of the containers inside the pod, then just changing the secret will dynamically update the existing and newely created POD's env values and ssh-key (mount as volume) .

jinojosep@cloudshell:~ (boreal-physics-256910)$ kubectl create secret generic secret-demo --from-literal=username=jinouname --from-literal=password=jinomypassword

secret/secret-demo created

################################

jinojosep@cloudshell:~ (boreal-physics-256910)$ kg secret

NAME                  TYPE                                  DATA   AGE

default-token-l5tmg   kubernetes.io/service-account-token   3      14m

secret-demo           Opaque                                2      8s

################################

jinojosep@cloudshell:~ (boreal-physics-256910)$ cat > 5-pod-secret-env.yaml

apiVersion: v1

kind: Pod

metadata:

  name: busybox

spec:

  containers:

  - image: busybox

    name: busybox

    command: ["/bin/sh"]

    args: ["-c", "sleep 600"]

    env:

    - name: myusername

      valueFrom:

        secretKeyRef:

          name: secret-demo

          key: username

################################

In normal case we there will be a "value: " parameter below the env: > -name : paramter. We need to replace the value: with the valueFrom: > secretKeyRef: >  name: > and key: fields.

Here key: username is the value that we added as data: when creating the secret .

  ################################

jinojosep@cloudshell:~ (boreal-physics-256910)$ k create -f 5-pod-secret-env.yaml

pod/busybox created

################################

jinojosep@cloudshell:~ (boreal-physics-256910)$ kg pods

NAME      READY   STATUS    RESTARTS   AGE

busybox   1/1     Running   0          4s

################################

jinojosep@cloudshell:~ (boreal-physics-256910)$ k exec -it busybox -- sh

/ # env

/ # env | grep myusername

myusername=jinouname

################################

This is an example where secret is mounted as files to a volume which is perfect for the ssh keys 

jinojosep@cloudshell:~ (boreal-physics-256910)$ cat > 5-pod-secretsshkey.yaml

kind: Secret

apiVersion: v1

metadata:

  name: ssh-key-secret

data:

  id-rsa: dmFsdWUtMg0KDQo=

  id-rsa.pub: dmFsdWUtMQ0K

################################

jinojosep@cloudshell:~ (boreal-physics-256910)$ cat > 5-pod-secret-volume.yaml

kind: Pod

apiVersion: v1

metadata:

  name: secret-test-pod

spec:

  volumes:

  - name: secret-volume

    secret:

      secretName: ssh-key-secret

  containers:

  - name: ssh-test-container

    image: busybox

    command: ["/bin/sh"]

    args: ["-c", "sleep 600"]

    volumeMounts:

    - name: secret-volume

      readOnly: true

      mountPath: "/etc/secret-volume"      

################################

Here the volumes: > name: and the volumeMounts: > name: should be same.

 

jinojosep@cloudshell:~ (boreal-physics-256910)$ k apply -f 5-pod-secret-volume.yaml

pod/busybox created

################################

jinojosep@cloudshell:~ (boreal-physics-256910)$ kg pod

NAME      READY   STATUS    RESTARTS   AGE

busybox   1/1     Running   0          15s

################################

jinojosep@cloudshell:~ (boreal-physics-256910)$ k exec -it busybox -- sh

/ # cd /etc/secret-volume

/secret-volume # ls -l

total 0

lrwxrwxrwx    1 root     root            15 Aug 11 11:44 id-rsa -> ..data/id-rsa

lrwxrwxrwx    1 root     root            15 Aug 11 11:44 id-rsa.pub -> ..data/id-rsa.pub

/secret-volume # cat id-rsa ; echo

dmFsdWUtMg0KDQo=

/secret-volume # cat id-rsa.pub ; echo

dmFsdWUtMQ0K

/secret-volume #