OpenShift - Create Secrets

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

A config map contains files, variables, and command line options that can be used by one or more applications, as a way to create separation between applications and the files, variables, and command line options being used by the applications.

Or, a secret can be used, so that the data is encoded (not encrypted).

For example, a config map could contain the variable foo=Hello or a secret could contain foo=V29ybGQ= (which is Hello base 64 encoded), and then one or more pods could use the config map or secret to return Hello from the foo key.

The following types of secrets can be created. The opaque type of secret will not validate that the key value pairs of the secret conform to a specific structure, whereas the other types of secrets will.

  • Opaque (default)
  • kubernetes.io/service-account-token. Uses a service account token.
  • kubernetes.io/dockercfg. Uses the .dockercfg file for Docker credentials.
  • kubernetes.io/dockerconfigjson. Uses the .docker/config.json file for Docker credentials.
  • kubernetes.io/basic-auth
  • kubernetes.io/ssh-auth
  • kubernetes.io/tls

 

With the oc create secrets command, there are different command line options that can be used.

  • --from-literal
  • --from-file
  • --from-env-file

 


--from-literal

Here is how you would create a secret using --from-literal. generic creates an opaque secret.

~]# oc create secret generic my-secret --from-literal=foo="Hello" --from-literal=bar="World"
secret "my-secret" created

 


--from-file

Let's say the /tmp/foo file contains the following.

Hello

 

And the /tmp/bar file contains the following.

World

 

Here is how you would create a secret using --from-file.

AVOID TROUBLE

The name of the files (foo and bar in this example) will be used as the keys for each key

~]# oc create secret generic my-secret --from-file /tmp/foo --from-file /tmp/bar
secret "my-secret" created

 


--from-env-file

Let's say the /tmp/foo file contains the following.

foo="Hello"

 

And the /tmp/bar file contains the following.

bar="World"

 

Here is how you would create a secret using --from-env-file.

~]# oc create secret generic my-secret --from-env-file /tmp/foo --from-env-file /tmp/bar
secret "my-secret" created

 


From JSON or YAML file

Let's say you have a YAML file named secret.yml that contains the following markup.

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: default
stringData:
  foo: Hello
  bar: World
type: Opaque

 

Better yet, base64 command can be used to encode the value.

~]# echo Hello | base64
SGVsbG8

~]# echo World | base64
V29ybGQ

 

And then your YAML file can use data instead of stringData so that the values are encrypted.

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: default
data:
  foo: SGVsbG8
  bar: V29ybGQ
type: Opaque

 

The oc apply or oc create command with the -f or --filename option can be used to create the secret using the template JSON or YAML file.

The oc replace command can be used to replace a secret using a new or updated template JSON or YAML file.

The oc edit command can be used to update a secret template YAML file.

~]$ oc create --filename secret.yml 
secret/my-secret created

 


The oc get secrets command can be used to list the secrets that have been created.

~]# oc get secrets
NAME           TYPE        DATA      AGE
my-secret      Opaque      1         30s

 

The --output yaml or --output json options can be used to display the YAML or JSON details of the secret. Notice that the "foo" key contains "SGVsbG8=" and "bar" contains "V29ybGQ=". This is normal, because the secret value is base64 encoded.

~]$ oc get secrets my-secret --output yaml
apiVersion: v1
data:
  bar: V29ybGQ=
  foo: SGVsbG8=
kind: Secret
metadata:
  creationTimestamp: "2021-11-18T07:12:09Z"
  name: mysecret
  namespace: default
  resourceVersion: "448072461"
  uid: 4104a646-84e2-46c3-bd59-408e2f7ee807
type: Opaque

 

On a Linux system, the base64 command can be used to decode the value.

~]# echo SGVsbG8= | base64 --decode
Hello

~]# echo V29ybGQ= | base64 --decode
World

 

You could then configure a deployment to use my-secret. Here is an example of what you could add for the deployment YAML to use the value in the "foo" key in the secret named "my-secret".

AVOID TROUBLE

If there is already a pod running for the deployment, and you update the deployment YAML, you will need to delete the pod so that a new pod gets create, because pods will not detect changes made to the deployment YAML.

containers:
- env:
  - name: my_secret
    valueFrom:
      secretKeyRef:
        key: foo
        name: my-secret

 

The oc exec command and the env or printenv command can be used to see if the "my_secret" variable contains a value of "Hello" in the container.

~]$ oc exec <name of the pod> -- env
my_secret=Hello

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 1069b in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |