Using a Secret
After secrets are created, they can be mounted as volumes or exposed as environment variables for a container.
NOTICE:
Do not perform any operation on the following secrets (for details, see Cluster Secrets):
- Secrets under kube-system
- default-secret and paas.elb in any namespace default-secret is used to pull private images from SWR, and paas.elb is used to connect the services in the namespace to ELB.
The following example shows how to use a secret.
apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: ****** #The value must be encoded using Base64. password: ****** #The value must be encoded using Base64.
NOTICE:
- When a secret is used in a pod, it must be in the same cluster and namespace as the pod.
- When a secret mounted as a volume is updated, Kubernetes updates the data in the volume at the same time.
However, when a secret mounted using subPath is updated, Kubernetes cannot automatically update the data in the volume.
Configuring Environment Variables for a Workload
Using the console
- Log in to the CCE console and click the cluster name to access the cluster console.
- In the navigation pane on the left, choose Workloads. In the upper right corner of the displayed page, click Create Workload.
When creating a workload, click Environment Variables in the Container Settings area, and click Add Variable.
- Added from secret: Select a secret and import all keys in the secret as environment variables.
- Added from secret key: Import the key in a secret as the value of an environment variable.
- Variable Name: Name of the environment variable. The name can be customized and is set to the key name selected in the secret by default.
- Variable Value/Reference: Select a secret and the key to be imported. The corresponding value is imported as a workload environment variable.
For example, after you import the value of username in secret mysecret as the value of workload environment variable username, an environment variable named username exists in the container.
- Added from secret: Select a secret and import all keys in the secret as environment variables.
- Configure other workload parameters and click Create Workload.
When the workload runs normally, log in to the container and run the following statement to check whether the secret has been set as an environment variable for the workload:
printenv username
If the output is the same as the content in the secret, the secret has been set as an environment variable for the workload.
Using kubectl
- Use kubectl to connect to the cluster. For details, see Connecting to a Cluster Using kubectl.
- Create a file named nginx-secret.yaml and edit it.
vi nginx-secret.yaml
The content of the YAML file is as follows:
- Added from secret: To add all data in a secret to environment variables, use the envFrom parameter. The keys in the secret will become names of environment variables in the workload.
apiVersion: apps/v1 kind: Deployment metadata: name: nginx-secret spec: replicas: 1 selector: matchLabels: app: nginx-secret template: metadata: labels: app: nginx-secret spec: containers: - name: container-1 image: nginx:latest envFrom: # Use envFrom to specify a secret to be referenced by environment variables. - secretRef: name: mysecret # Name of the referenced secret. imagePullSecrets: - name: default-secret - Added from secret key: When creating a workload, you can use a secret to set environment variables and use the valueFrom parameter to reference the key-value pair in the secret separately.
apiVersion: apps/v1 kind: Deployment metadata: name: nginx-secret spec: replicas: 1 selector: matchLabels: app: nginx-secret template: metadata: labels: app: nginx-secret spec: containers: - name: container-1 image: nginx:latest env: # Set an environment variable for the workload. - name: SECRET_USERNAME # Name of the environment variable for the workload. valueFrom: # Use valueFrom to specify a secret to be referenced by environment variables. secretKeyRef: name: mysecret # Name of the referenced secret. key: username # Key in the referenced secret. - name: SECRET_PASSWORD # Add multiple environment variables to import them at the same time. valueFrom: secretKeyRef: name: mysecret key: password imagePullSecrets: - name: default-secret
- Added from secret: To add all data in a secret to environment variables, use the envFrom parameter. The keys in the secret will become names of environment variables in the workload.
- Create a workload.
kubectl apply -f nginx-secret.yaml
- View the environment variables in the pod.
- Run the following command to view the created pod:
kubectl get pod | grep nginx-secret
Expected output:nginx-secret-*** 1/1 Running 0 2m18s
- Run the following command to view the environment variables in the pod:
kubectl exec nginx-secret-*** -- printenv SPECIAL_USERNAME SPECIAL_PASSWORD
If the output is the same as the content in the secret, the secret has been set as an environment variable for the workload.
- Run the following command to view the created pod:
Configuring a Data Volume for a Workload
You can mount a secret as a volume to the specified container path. The content of a secret is user-defined. You need to create a secret in advance. For details, see Creating a Secret.
Using the console
- Log in to the CCE console and click the cluster name to access the cluster console.
- In the navigation pane on the left, choose Workloads. Then click the Deployments tab. Click Create Workload in the upper right corner.
When creating a workload, click Data Storage in the Container Settings area. Click Add Volume and select Secret from the drop-down list.
- Configure parameters for mounting a secret volume based on Table 1.
Table 1 Parameters for mounting a secret volume Parameter
Description
Secret
Select the desired secret.
A secret must be created beforehand. For details, see Creating a Secret.
Mount Path
Enter a mount point. After the secret volume is mounted, a secret file with the key as the file name and value as the file content is generated in the mount path of the container.
This parameter indicates the container path that the volume will be mounted to. Do not mount the volume to a system directory such as / or /var/run. This may cause container errors. Mount the volume to an empty directory. If the directory is not empty, ensure that there are no files that affect container startup. If there are such files, they will be replaced, which will lead to a container startup or workload creation failure.NOTICE:If a volume is mounted to a high-risk directory, use an account with minimum permissions to start the container, or high-risk files on the host may be damaged.
Subpath
Enter a subpath of the mount path.
- A subpath is used to mount a local volume so that the same volume is used in a single pod. If this parameter is left blank, the root path is used by default.
- The subpath can be the key and value of a secret. If the subpath is a key-value pair that does not exist, the data import does not take effect.
- The data imported using a subpath will not be updated along with the secret.
Permission
Read-only permission. The volume in the path is read-only.
Figure 1 Mounting a secret volume
- Configure other parameters and click Create Workload.
When the workload runs normally, the username and password files will be generated in the /etc/foo directory in this example. The file content is the secret values.
Access the container and run the following statement to view the username or password file in the container:
cat /etc/foo/usernameThe expected output is the same as the content in the secret.
Using kubectl
- Use kubectl to connect to the cluster. For details, see Connecting to a Cluster Using kubectl.
- Create a file named nginx-secret.yaml and edit it.
vi nginx-secret.yaml
In the following example, the username and password in the mysecret secret are saved in the /etc/foo directory as files.apiVersion: apps/v1 kind: Deployment metadata: name: nginx-secret spec: replicas: 1 selector: matchLabels: app: nginx-secret template: metadata: labels: app: nginx-secret spec: containers: - name: container-1 image: nginx:latest volumeMounts: - name: foo mountPath: /etc/foo # Mount the secret volume to the /etc/foo directory. readOnly: true volumes: - name: foo secret: secretName: mysecret # Name of the referenced secret.You can also use the items field to control the mapping path of secret keys. For example, store username in the /etc/foo/my-group/my-username directory in the container.
NOTE:
- If you use the items field to specify the mapping path of the secret keys, the keys that are not specified will not be created as files. In the following example, if the password key is not specified, the file will not be created.
- If you want to use all keys in a secret, you must list all keys in the items field.
- All keys listed in the items field must exist in the corresponding secret, or the volume will not be created.
apiVersion: apps/v1 kind: Deployment metadata: name: nginx-secret spec: replicas: 1 selector: matchLabels: app: nginx-secret template: metadata: labels: app: nginx-secret spec: containers: - name: container-1 image: nginx:latest volumeMounts: - name: foo mountPath: /etc/foo # Mount the secret volume to the /etc/foo directory. readOnly: true volumes: - name: foo secret: secretName: mysecret # Name of the referenced secret. items: - key: username # Name of the referenced key. path: my-group/my-username # Mapping path of the secret key. - Create a workload.
kubectl apply -f nginx-secret.yaml
- Wait until the workload runs normally. The username and password files will be generated in the /etc/foo directory.
- Run the following command to view the created pod:
kubectl get pod | grep nginx-secret
Expected output:nginx-secret-*** 1/1 Running 0 2m18s
- Run the following command to view the username or password file in the pod:
kubectl exec nginx-secret-*** -- cat /etc/foo/usernameThe expected output is the same as the content in the secret.
- Run the following command to view the created pod:
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
