Create and Store Secrets like Passwords, OAuth Tokens, and SSH Keys in Kubernetes

In Kubernetes, we can store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys using Kubernetes Secrets. In Kubernetes, secrets can be defined as Kubernetes Objects.  It is safer to store credentials in Kubernetes Secrets that in Pods or in Docker Images.

There are multiple ways of generating secrets in Kubernetes:

  1. Creating from a text file
  2. Creating from a yml file

Once the secrets are available they can be used in the following ways:

  1. Environment Variable
  2. Volume
  3. Using imagePullSecrets field

To know more about Kubernetes Secrets, click here.

In this article, we will create secrets using .yml file and access them in the Pod as Environment Variables.

Pre-requisites

  1. Kubernetes Cluster with at least 1 worker node.
    If you want to learn to create a Kubernetes Cluster, click here. This guide will help you create a Kubernetes cluster with 1 Master and 2 Nodes on AWS Ubuntu 18l04 EC2 Instances. 

What we will do

  1. Create Secrets

Create secrets

To create new secrets in Kubernetes, first encrypt them as shown below using base64 encoding method.

Here,

username=rahul and password=howtoforge123.

echo -n "rahul" | base64

echo -n "howtoforge123" | base64

encode-credentials

In the above screenshot, it can be seen that the credentials have been encrypted.

Create a secret definition file as follows, this file holds the base64 value of the credentials generated in the above step,.

vim my-secret.yml

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: cmFodWw=
  password: aG93dG9mb3JnZTEyMw==

my-secretes

Now, let's create a pod in which these secrets and can be accessed.

Create a new file that will contain the pod definition as follows.

vim my-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: secrets-in-pod
spec:
  containers:
    - name: my-container
      image: redis
      env:
        - name: SECRET_USERNAME
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: username
        - name: SECRET_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: password
  restartPolicy: Never

my-pod

Let's create secrets using the following command.

kubectl create -f my-secret.yml

kubectl get secret | grep mysecret

create-secretNow, create a pod using the following pod definition to access the previously created secrets.

kubectl create -f my-pod.yml

kubectl get  pods | grep secrets-in-pod

my-pod

Login into the pod using the following command. 

kubectl get pods | grep secrets-in-pod

kubectl exec -it secrets-in-pod /bin/bash

login-into-pod

Once you login to the pod, the secrets can be accessed as Environment Variable using the following command.

echo $SECRET_USERNAME

echo $SECRET_PASSWORD

access-credentials-in-pod

In the above screenshot, it can be seen that the secrets are available as  Environment variables.

To see details of the secret object, execute the following command.

kubectl get secret | grep mysecret

kubectl get secret mysecret -o yaml

get-secret-details

These secrete can also be decoded from the command line using the following commands.

kubectl get secrets/mysecret --template={{.data.username}} | base64 -d

kubectl get secrets/mysecret --template={{.data.password}} | base64 -d

decode-secrets

In the above screenshot, it can be seen that the credentials are extracted from the Secrets and decrypted on the command line using base64.

Conclusion

In this article, we saw the steps to create and store secrets in Kubernetes from a .yml file. We tried to access these secrets in Pod as Environment variables. We also saw the command to decrypt the secrets on the command line.

Share this page:

0 Comment(s)