Creating and Deploying Secrets

Since 1.14, Kubectl supports the management of Kubernetes objects using Kustomize. Kustomize provides resource Generators to create Secrets and ConfigMaps. The Kustomize generators should be specified in a kustomization.yaml file. A Kustomize file for generating a Secret from literal key-value pairs looks as follows:


namespace: octank
secretGenerator:
- name: database-credentials
  literals:
  - username=admin
  - password=Tru5tN0!
generatorOptions:
  disableNameSuffixHash: true

Run the following set of commands to generate a Secret using Kubectl and Kustomize.

mkdir -p ~/environment/secrets
cd ~/environment/secrets
wget https://eksworkshop.com/beginner/200_secrets/secrets.files/kustomization.yaml
kubectl kustomize . > secret.yaml

The generated Secret with base64 encoded value for username and password keys is as follows:


apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: database-credentials
  namespace: octank
data:
  password: VHJ1NXROMCE=
  username: YWRtaW4=

You can now deploy this Secret to your EKS cluster.

kubectl create namespace octank
kubectl apply -f secret.yaml

Exposing Secrets as Environment Variables

You may expose the keys, namely, username and password, in the database-credentials Secret to a Pod as environment variables using a Pod manifest as shown below:


apiVersion: v1
kind: Pod
metadata:
  name: someName
  namespace: someNamespace
spec:
  containers:
  - name: someContainer
    image: someImage
    env:
    - name: DATABASE_USER
      valueFrom:
        secretKeyRef:
          name: database-credentials
          key: username
    - name: DATABASE_PASSWORD
      valueFrom:
        secretKeyRef:
          name: database-credentials
          key: password 

Run the following set of commands to deploy a pod that references the database-credentials Secret created above.

wget https://eksworkshop.com/beginner/200_secrets/secrets.files/pod-variable.yaml
kubectl apply -f pod-variable.yaml
kubectl get pod -n octank

View the output logs from the pod to verfiy that the environment variables DATABASE_USER and DATABASE_PASSWORD have been assigned the expected literal values

kubectl logs pod-variable -n octank

The output should look as follows:


DATABASE_USER = admin
DATABASE_PASSWROD = Tru5tN0!