1

I would like to use a Secret inside a ConfigMap. Is this possible?

Example:

An example where this might be required is if you would like to write from Fluentd to S3. In the configuration you have to add your AWS credentials.

Alternatives:

Using environment variables on the cluster itself. I do not like this idea, because the variable would still contain the secret as plain text.

Passing the password during set-up. If you are using deployment tools it might be possible to pass the secret during the deployment of your application. This is also not a nice solution since you are still passing the secret as plain text to the deployment tool. An advantage of this approach is that you do not accidentally check-in your secret to git.

User12547645
  • 6,955
  • 3
  • 38
  • 69
  • Have you gone through this https://medium.com/google-cloud/kubernetes-configmaps-and-secrets-68d061f7ab5b – mchawre Aug 05 '19 at 14:02
  • Thanks @mchawre. I will have a look at that – User12547645 Aug 05 '19 at 14:09
  • So how I understand it, @mchawre solution works as follows: Pass the secret data to a K8s secret, expose this data via env variables and then consume it in the configmap. Is that correct? Not sure if that might work. In the example he is not passing any secret data to the configmap – User12547645 Aug 05 '19 at 14:16
  • Yeah but that env will contain base 64 encoded data in it. You need to decode it to use. – mchawre Aug 05 '19 at 14:55
  • The best option so far I think is to use AWS IAM role and assign that role to the kubernetes nodes. – mchawre Aug 05 '19 at 14:57
  • As you can see `aws_key_id` and `aws_sec_key` are the optional field https://docs.fluentd.org/output/s3#parameters You can make use of aws iam role. Just give it a try. – mchawre Aug 05 '19 at 15:07

2 Answers2

1

Try to avoid making use of aws credentials in kubernetes.

As you can see aws_key_id and aws_sec_key are the optional fields.

Make use of AWS IAM role and assign it to the kubernetes nodes.

And then try to run your fluentd application without aws credentials in its config.

Just give it a try.

Hope this helps.

Update:

This article explain different ways to use aws iam for kubernetes.

Kube2iam and many other tools like this, might help. Give it a try.

mchawre
  • 10,744
  • 4
  • 35
  • 57
0

No, it is not possible. You should always use secret for your sensitive data.

By default, secrets are only base64 encoded content of files so you should use something like Vault to secure store you sensitive data.

FL3SH
  • 2,996
  • 1
  • 17
  • 25
  • Okay. How would you solve the **example** situation then? – User12547645 Aug 05 '19 at 14:12
  • Exactly like in the [article](https://gist.github.com/thesandlord/6e297d7ceb807e6f0243255ab7885d83#file-final-yaml-L25) mentioned by @mchawre, but like I point, your that is only base64 encoded. – FL3SH Aug 05 '19 at 14:18
  • 1
    TL;DR; you will end up with base64 encoded AWS credentials stored in ENV. – FL3SH Aug 05 '19 at 14:22
  • Just note that if you want a more GitOps approach, there are pretty good tools for encrypting secrets - so you can store them on Git. I posted about it in the past - check it out [here](https://blog.solutotlv.com/can-kubernetes-keep-a-secret/) – Omer Levi Hevroni Aug 05 '19 at 17:01
  • @FL3SH The article does not mention a valid solution to my problem. It talks about environment vars, Docker vars and K8s vars. I do not want to store this sensitive data as a clear text war and since it is consumed by a configmap I cannot store it in a secret – User12547645 Aug 06 '19 at 08:03
  • @FL3SH How would you consume the base64 encoded ENVs in a configmap? – User12547645 Aug 06 '19 at 08:04
  • Decoding is pain, these are the available ways https://stackoverflow.com/questions/56909180/decoding-kubernetes-secret – mchawre Aug 06 '19 at 08:22