2

I am a beginner to Kubernetes. I have created a secret file and referred it in deployment yaml file.

app-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: app-secret
data:
  username: YWRtaW4=
  password: YWRtaW4=

deploy.yaml

env:
          - name: DEPLOY_ENV
            value: ${env}
          - name: NAMESPACE_NAME
            valueFrom:
                fieldRef:
                  fieldPath : metadata.namespace
          - name: APP_USERNAME
            valueFrom:
                secretKeyRef:
                  name: app-secret
                  key: username
          - name: APP_PASSWORD
            valueFrom:
                secretKeyRef:
                  name: app-secret
                  key: password

While using the command kubectl get secret pod-54rfxd -n dev-ns -o json, it is printing the username and password in encoded format only. When i query for the environment variables list using the command kubectl exec pod-54rfxd -n dev-ns -- printenv, it was giving below result.

APP_USERNAME=admin
APP_PASSWORD=admin

Why it was not in encoded format in environment variables. Could you please let me know the reason and is it possible to have it in encoded format?

Varun
  • 85
  • 1
  • 7

2 Answers2

1

Secret get stored with the base64 encoded format when you create the secret. hile adding or injecting the secret into the pod or deployment Kubernetes by default decode the secret with base64 so due to that you are getting the plain text from OS as environment variables.

there are some other option to encrypt at rest not encode.

https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets

https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengencryptingdata.htm

is it possible to have it in encoded format?

what you can do is to save the encoded .env file into secret and mount that file into the deployment path that .env file will be accessible to the application while content inside it will be encoded.

kubectl exec pod-54rfxd -n dev-ns -- printenv

this command only you can run maybe when you have admin permission of cluster otherwise not other can access inside the pod.

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
  • 1
    Thanks a lot for your response. I will read the above options and will try it & let you know. – Varun Apr 19 '21 at 05:34
  • "what you can do is to save the encoded .env file into secret and mount that file into the deployment path that .env file will be accessible to the application while content inside it will be encoded" - Could you please share any samples if you have? – Varun Apr 19 '21 at 05:47
  • you can check this answer it's same I was describing. in env while for VAR1 & VAR2 you can store the encoded base64 values and add that inside the pod. https://stackoverflow.com/a/64872936/5525824 little different will be there you have to store the .env file inside the secret instead of creating the secret `--from-file`. – Harsh Manvar Apr 19 '21 at 05:50
  • https://alibaba-cloud.medium.com/how-to-create-and-use-configmaps-in-kubernetes-e6d1e0b150b4 here it's example of using configmap you can also use it and save the encoded data into .txt file. – Harsh Manvar Apr 19 '21 at 05:55
  • Thanks Harsh Manvar. Will try and let you know. – Varun Apr 19 '21 at 06:12
  • 1
    Harsh Manvar - From the link which you shared, i got another link - https://www.alibabacloud.com/blog/how-to-create-and-use-secrets-in-kubernetes_594723?spm=a2c41.12821011.0.0.515f6684uUa6YY This helped me to resolve my scenario. I finally went with volume mount strategy as mentioned in this link. Thanks a lot for your explanations and suggestions. – Varun Apr 22 '21 at 13:27
1

You could use the stringData format:

apiVersion: v1
kind: Secret
metadata:
  name: app-secret
stringData:
  username: "YWRtaW4="
  password: "YWRtaW4="

From K8s doc: warning about stringData secret type

K8s doc

bigLucas
  • 604
  • 5
  • 8