1

I'm working on a library to read secrets from a given directory that I've got easily up and running with Docker Swarm by using the /run/secrets directory as the defined place to read secrets from. I'd like to do the same for a Kubernetes deployment but looking online I see many guides that advise using various Kubernetes APIs and libraries. Is it possible to simply read from disk as it is with Docker Swarm? If so, what is the directory that these are stored in?

wyt
  • 83
  • 7
  • _of course_ it is, that is like reading a simple File from your path in the pod, if you mount that secret. Not everyone mounts those secrets, thus they read via Kubernetes clients. – Eugene Sep 15 '21 at 18:09
  • you could use spring-cloud-kubernetes for this, if you already have spring framework in house. – Eugene Sep 15 '21 at 18:12
  • Forgive my ignorance with Kube, after some more reading it looks like I can specify a `mountPath` in the `deployment.yaml`. I assume that I would just read it from there? So as simple as `File file = new File("whatever/my/mountPath/was/set/to")` Is that correct @Eugene? – wyt Sep 15 '21 at 18:29
  • pretty much, yes. you can mount that secret, then `exec` into the pod and see its contents. just know that the secret might have be in a diff encoding (not `Opaque`), then iirc, you _will_ need a client. – Eugene Sep 15 '21 at 18:31
  • but let me say that again - _if_ you already have Spring, this will be a breeze to do (I'm a spring-cloud-kubernetes contributor, so I might be biased). – Eugene Sep 15 '21 at 22:29

1 Answers1

1

Please read the documentation

I see 2 practical ways to access the k8s secrets:

  1. Mount the secret as a file
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret
  1. Expose the secret as an environmental variable
apiVersion: v1
kind: Pod
metadata:
  name: secret-env-pod
spec:
  containers:
  - name: mycontainer
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password
gusto2
  • 11,210
  • 2
  • 17
  • 36