Secret

A secret is a resource object for encrypted storage. You can save the authentication information, certificates, and private keys in a secret, solving the configuration problems of sensitive data such as passwords, tokens, and keys. In this case, sensitive data will not be exposed to images or pod specification files. You only need to load such data as environment variables to containers during container startup.

Similar to a ConfigMap, a secret saves data using key-value pairs. The difference is that a secret is encrypted and suitable for storing sensitive information.

Base64 Encoding

Similar to a ConfigMap, a secret saves data using key-value pairs. The difference is that secret values must be encoded using the Base64 method.

To encrypt a character string using Base64, run the echo -n to-be-encoded content | base64 command. The following is an example:

root@ubuntu:~# echo -n "3306" | base64
MzMwNg==

Creating a Secret

The secret defined in the following example contains two key-value pairs.

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  key1: VkZNME0wVlpVbEpQVHpGTFdrSkRWVWhCV2s5T1ZrNUxUVlZNUjBzMFRWcElVMFpVUkVWV1N3PT0=   # Base64 encoded value
  key2: T0VkR1RGRlZVRlpVU2xCWFdUZFBVRUZCUmtzPQ==                                       # Base64 encoded value

Referencing a Secret in Environment Variables

In most cases, a secret is injected into a container as an environment variable, as shown in the following example.

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx:latest
    name: container-0
    resources:
      limits:
        cpu: 500m
        memory: 1024Mi
      requests:
        cpu: 500m
        memory: 1024Mi
    env:
    - name: key
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: key1
  imagePullSecrets:
  - name: imagepull-secret

Referencing a Secret in a Volume

Referencing a secret in a volume is to fill its data in configuration files in the volume. Each piece of data is saved in a file. The key is the file name, and the key value is the file content.

In the following example, create a volume named vol-secret, reference the secret named mysecret in the volume, and mount the volume to the /tmp directory of the container. After the pod is created, there are two files key1 and key2 in the /tmp directory of the container, and the values are VkZNME0wVlpVbEpQVHpGTFdrSkRWVWhCV2s5T1ZrNUxUVlZNUjBzMFRWcElVMFpVUkVWV1N3PT0= and T0VkR1RGRlZVRlpVU2xCWFdUZFBVRUZCUmtzPQ==.

The values of key1 and key2 are the values encoded using Base64.

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx:latest
    name: container-0
    resources:
      limits:
        cpu: 500m
        memory: 1024Mi
      requests:
        cpu: 500m
        memory: 1024Mi
    volumeMounts:
    - name: vol-secret              # Mount the volume named vol-secret
      mountPath: "/tmp"             # Mount path. The value contains a maximum of 256 characters.
  imagePullSecrets:
  - name: imagepull-secret
  volumes:
  - name: vol-secret
    secret:                         # Reference a secret
      secretName: mysecret

Parent topic: ConfigMap and Secret

Previous topic: ConfigMap

Next topic: Creating a Workload Using Job and Cron Job