Bootstrap FreeKB - OpenShift - Create Opaque Generic Secrets (key value pairs)
OpenShift - Create Opaque Generic Secrets (key value pairs)
Updated:   |  OpenShift articles

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

Config Maps are used to:

  • mount configuration files in a container
  • create environment variables in a container
  • create command line option arguments in a container

Secrets are similar, used to create variables that contain encoded data (e.g. passwords). In this way, if a change is needed to a configuration file, variable, or command line option argument, you just need to update the config map or secret as opposed to having to make the change to your applications or deployments.

The following types of secrets can be created. The opaque type of secret will not validate that the key value pairs of the secret conform to a specific structure, whereas the other types of secrets will.

  • Opaque (default)
  • kubernetes.io/service-account-token. Uses a service account token.
  • kubernetes.io/dockercfg. Uses the .dockercfg file for Docker credentials.
  • kubernetes.io/dockerconfigjson. Uses the .docker/config.json file for Docker credentials.
  • kubernetes.io/basic-auth
  • kubernetes.io/ssh-auth
  • kubernetes.io/tls

 

With the oc create secrets command, there are different command line options that can be used.

  • --from-literal
  • --from-file
  • --from-env-file

 

Here is how you would create a secret using --from-literal. generic creates an opaque secret.

~]# oc create secret generic my-secret --from-literal foo="Hello" --from-literal bar="World"
secret "my-secret" created

 

Let's say the /tmp/foo file contains the following.

Hello

 

And the /tmp/bar file contains the following.

World

 

Here is how you would create a secret using --from-file.

~]# oc create secret generic my-secret --from-file /tmp/foo --from-file /tmp/bar
secret "my-secret" created

 

In this scenario, the name of the files (foo and bar) will be the keys and the encoded content of the files (Hello and World) will be the values.

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: default
data:
  foo: SGVsbG8
  bar: V29ybGQ
type: Opaque

 

Let's say the /tmp/foo file contains the following.

foo="Hello"

 

And the /tmp/bar file contains the following.

bar="World"

 

Here is how you would create a secret using --from-env-file.

~]# oc create secret generic my-secret --from-env-file /tmp/foo --from-env-file /tmp/bar
secret "my-secret" created

 

From JSON or YAML file

Let's say you have a YAML file named secret.yml that contains the following markup.

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: default
stringData:
  foo: Hello
  bar: World
type: Opaque

 

Better yet, base64 command can be used to encode the value.

~]# echo Hello | base64
SGVsbG8

~]# echo World | base64
V29ybGQ

 

And then your YAML file can use data instead of stringData so that the values are encrypted.

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: default
data:
  foo: SGVsbG8
  bar: V29ybGQ
type: Opaque

 

The oc apply or oc create command with the -f or --filename option can be used to create the secret using the template JSON or YAML file.

The oc replace command can be used to replace a secret using a new or updated template JSON or YAML file.

The oc edit command can be used to update a secret template YAML file.

~]$ oc create --filename secret.yml 
secret/my-secret created

 

The oc get secrets command can be used to list the secrets that have been created.

~]# oc get secrets
NAME           TYPE        DATA      AGE
my-secret      Opaque      1         30s

 

The --output yaml or --output json options can be used to display the YAML or JSON details of the secret. Notice that the "foo" key contains "SGVsbG8=" and "bar" contains "V29ybGQ=". This is normal, because the secret value is base64 encoded.

~]$ oc get secrets my-secret --output yaml
apiVersion: v1
data:
  bar: V29ybGQ=
  foo: SGVsbG8=
kind: Secret
metadata:
  creationTimestamp: "2021-11-18T07:12:09Z"
  name: mysecret
  namespace: default
  resourceVersion: "448072461"
  uid: 4104a646-84e2-46c3-bd59-408e2f7ee807
type: Opaque

 

On a Linux system, the base64 command can be used to decode the value.

~]# echo SGVsbG8= | base64 --decode
Hello

~]# echo V29ybGQ= | base64 --decode
World

 

You could then configure a deployment to use my-secret. Here is an example of what you could add for the deployment YAML to use the value in the "foo" key in the secret named "my-secret".

AVOID TROUBLE

If there is already a pod running for the deployment, and you update the deployment YAML, you will need to delete the pod so that a new pod gets create, because pods will not detect changes made to the deployment YAML.

containers:
- env:
  - name: my_secret
    valueFrom:
      secretKeyRef:
        key: foo
        name: my-secret

 

The oc exec command and the env or printenv command can be used to see if the "my_secret" variable contains a value of "Hello" in the container.

~]$ oc exec <name of the pod> -- env
my_secret=Hello

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 6e6ad2 in the box below so that we can be sure you are a human.