Bootstrap

OpenShift - Configure a Deployment with Secrets as a Volume Mount

by Jeremy Canfield | Updated: February 05 2026 | OpenShift articles

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

There are different ways to configure a container with environment variables.

In a deployment YAML file
Using Config Map (this article)
Using Secrets

Config Maps are used to:

mount configuration files in a container
create environment variables in a container
create command line option arguments in a container

Secrets are similar, used to create variables that contain encoded data (e.g. passwords). In this way, if a change is needed to a configuration file, variable, or command line option argument, you just need to update the config map or secret as opposed to having to make the change to your applications or deployments.


        flowchart TB
            subgraph OpenShift["OpenShift Cluster"]
                CM[ConfigMap
Configuration Data]
                SEC[Secret
Sensitive Data]
        
                subgraph Pod["Pod"]
                    subgraph Container["Container"]
                        APP[Application]
                        VOL1[/Volume Mount
Config Files/]
                        VOL2[/Volume Mount
Secret Files/]
                        ENV1[Environment Variables
from ConfigMap]
                        ENV2[Environment Variables
from Secret]
                    end
                end
            end
    
            CM -->|Mount as Volume| VOL1
            SEC -->|Mount as Volume| VOL2
            CM -->|Inject as EnvVar| ENV1
            SEC -->|Inject as EnvVar| ENV2
    
            VOL1 -.->|Read Config| APP
            VOL2 -.->|Read Secrets| APP
            ENV1 -.->|Use Config| APP
            ENV2 -.->|Use Secrets| APP
    
            style CM fill:#90CAF9
            style SEC fill:#FFAB91
            style APP fill:#A5D6A7
            style Pod fill:#E1F5FE
            style Container fill:#F1F8E9

The oc get secret command can be used to list the secrets that have been created in the currently selected project / namespace.

~]# oc get secrets
NAME           TYPE        DATA      AGE
my-secret      Opaque      1         133d

The --output yaml or --output json options can be used to display the YAML or JSON details of the secret. Notice that the "foo" key contains "SGVsbG8=" and "bar" contains "V29ybGQ=". This is normal, because the secret value is base64 encoded.

~]$ oc get secrets my-secret --output yaml
apiVersion: v1
data:
  bar: V29ybGQ=
  foo: SGVsbG8=
kind: Secret
metadata:
  creationTimestamp: "2021-11-18T07:12:09Z"
  name: mysecret
  namespace: default
  resourceVersion: "448072461"
  uid: 4104a646-84e2-46c3-bd59-408e2f7ee807
type: Opaque

On a Linux system, the base64 command can be used to decode the value.

~]# echo SGVsbG8= | base64 --decode
Hello

~]# echo V29ybGQ= | base64 --decode
World

Let's say you have a deployment named "my-deployment".

~]# oc get deployments
NAME            READY   UP-TO-DATE   AVAILABLE   AGE
my-deployment   1/1     1            1           8d

There are two ways to update the deployment to use the foo and bar secrets in my-secret.

Using the oc edit command
Using the oc set env command

A secret can be made available to a container:

As a variable
As a volume mount (this article)

The oc set volume command can be used to update a deployment so that values in the "foo" and "bar" keys in the secret named "my-secret" can be obtained from files mounted in the container.

AVOID TROUBLE
The name of the secret, which is my-secret in this example, must be an exact match of the name of the secret returned by the oc get secrets command.

~]$ oc set volume deployment my-app --add --type secret --mount-path /var/secrets --secret-name my-secret --read-only
info: Generated volume name: volume-jlbsj
deployment.apps/my-app volume updated

Or the oc edit deployment command can be used to update the deployment YAML.

AVOID TROUBLE
The name of the secret, which is my-secret in this example, must be an exact match of the name of the secret returned by the oc get secrets command.

apiVersion: v1
kind: Deployment
spec:
  replicas: 1
  template:
    spec:
      containers:
      - name: my-app
        image: openshift/my-app:latest
        ports:
        - containerPort: 80
        volumeMounts:
          name: my-secret
          mountPath: /var/secrets
          readOnly: true
      volumes:
      - name: my-secret
        secret:
          secretName: my-secret

A new pod should immediately be created after the oc edit command has been completed, and the oc describe pod command can be used to see that the pod is now has the "foo" and "bar" keys.

~]$ oc describe pod my-app-65rbl
Containers:
  my-container:
    Container ID:   my-app
    Image ID:       my-image
    Ports:          8080/TCP, 8443/TCP
    Host Ports:     0/TCP, 0/TCP
    State:          Running
      Started:      Tue, 02 Aug 2022 06:28:49 -0500
    Ready:          True
    Restart Count:  0
    Mounts:
      /var/secrets from my-secret (ro)
Volumes: 
  my-secret:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  my-secret
    Optional:    false

The oc exec command can be used to now see that the secrets have been mounted in the container as symbolic links.

~]$ oc exec pod/my-app-8x2nz -- ls -l /var/secrets
lrwxrwxrwx. 1 root root 10 Aug 28 10:20 bar -> ..data/bar
lrwxrwxrwx. 1 root root 10 Aug 28 10:20 foo -> ..data/foo

And the value of each secret can be viewed.

~]$ oc exec pod/my-app-8x2nz -- cat /var/secrets/foo
Hello

~]$ oc exec pod/my-app-8x2nz -- cat /var/secrets/bar
World

Did you find this article helpful?

If so, consider buying me a coffee over at

Did you find this article helpful?

Comments

Add a Comment