Skip to main content

Kubernetes Secrets: Opaque Secret Configuration, Pod Examples with Environment Variable Secrets and Volume Secrets; SSH Authentication Secret with Pod Example

731 words·
Kubernetes Kubectl
Table of Contents
Kubernetes-Components - This article is part of a series.
Part 12: This Article

Overview
#

Secrets are used to store and manage sensitive information, such as passwords, OAuth tokens, and SSH keys.

Opaque Secret
#

Base64 Encoding
#

# Encode the username
echo -n 'my-username' | base64

# Shell output:
bXktdXNlcm5hbWU=

# Encode the password
echo -n 'my-password' | base64

# Shell output:
bXktcGFzc3dvcmQ=

Secret Configuration
#

# Create secret configuratin
vi opaque-secret-example.yaml
kind: "Secret"
apiVersion: "v1"
metadata:
  name: "opaque-secret-example"
  labels:
    app: "secret-example"
type: "Opaque"
data:
  username: "bXktdXNlcm5hbWU="  # Base64 encoding of "my-username"
  password: "bXktcGFzc3dvcmQ="  # Base64 encoding of "my-password"
# Deploy the secret configuratin
kubectl create -f opaque-secret-example.yaml

List Secrets & Details
#

# List secrets
kubectl get secrets

# Shell output:
NAME                    TYPE     DATA   AGE
opaque-secret-example   Opaque   2      64s
# List secret details
kubectl describe secret opaque-secret-example

# Shell output
Name:         opaque-secret-example
Namespace:    default
Labels:       app=secret-example
Annotations:  <none>

Type:  Opaque

Data
====
password:  11 bytes
username:  11 bytes

Pod: Secret as Environment Variable
#

Pod Configuration
#

# Create secret configuratin
vi opaque-secret-example-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: example-pod
  labels:
    app: secret-example
spec:
  containers:
  - name: example-container
    image: nginx
    env:
      - name: USERNAME
        valueFrom:
          secretKeyRef:
            name: opaque-secret-example
            key: username
      - name: PASSWORD
        valueFrom:
          secretKeyRef:
            name: opaque-secret-example
            key: password
# Deploy the pod
kubectl create -f opaque-secret-example-pod.yaml

Verify the Environment Variables
#

# List pods
kubectl get pods

# Shell output
NAME          READY   STATUS      RESTARTS   AGE
example-pod   1/1     Running     0          8s
# List environment variables
kubectl exec example-pod -c example-container -- printenv

# Shell output:
NAME          READY   STATUS      RESTARTS   AGE
example-pod   1/1     Running     0          8s
nfs-nginx     0/1     Completed   0          17h
debian@node1:~/secrets$ kubectl exec example-pod -c example-container -- printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=example-pod
NGINX_VERSION=1.25.5
NJS_VERSION=0.8.4
NJS_RELEASE=3~bookworm
PKG_RELEASE=1~bookworm
USERNAME=my-username # Secret
PASSWORD=my-password # Secret
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.233.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.233.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.233.0.1
KUBERNETES_SERVICE_HOST=10.233.0.1
HOME=/root
# List environment variables: Username and Password variables only
kubectl exec example-pod -c example-container -- sh -c 'echo USERNAME=$USERNAME PASSWORD=$PASSWORD'

# Shell output:
USERNAME=my-username PASSWORD=my-password

Delete the Pod
#

# Delete the pod
kubectl delete pod example-pod

Pod: Secret as a Volume
#

Pod Configuration
#

# Create secret configuratin
vi opaque-secret-example-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: example-pod
  labels:
    app: secret-example
spec:
  containers:
  - name: example-container
    image: nginx
    volumeMounts:
    - name: secret-volume
      mountPath: "/etc/secret"
      readOnly: true
  volumes:
  - name: secret-volume
    secret:
      secretName: opaque-secret-example
# Deploy the pod
kubectl create -f opaque-secret-example-pod.yaml

Verify the Secrets in the Volume
#

# List pods
kubectl get pods

# Shell output:
NAME          READY   STATUS    RESTARTS   AGE
example-pod   1/1     Running   0          5s
# Exec the container shell
kubectl exec -it example-pod -c example-container -- /bin/bash
# Cat the password secret
cat /etc/secret/password

# Shell output:
my-password

# Cat the username secret
cat /etc/secret/username

# Shell output:
my-username

Delete the Pod
#

# Delete the pod
kubectl delete pod example-pod

Delete the Secret
#

# Delete the secret
kubectl delete secret opaque-secret-example

# Verify / list secrets
kubectl get secrets

SSH Key Secret
#

Generate SSH Key
#

Create a SSH key for the Kubernetes secret:

# Generate an Ed25519 key with 256 bit
ssh-keygen -t ed25519 -C "your_email@example.com"

Secret Configuration
#

# Create SSH key example
kubectl create secret generic ssh-key-secret-example --from-file=ssh-privatekey=/home/debian/.ssh/id_ed25519 --type=kubernetes.io/ssh-auth
  • ssh-key-secret-example Name of the secret

  • --type=kubernetes.io/ssh-auth Specifies that this secret is specifically for SSH authentication.

List the Secret & Details
#

# List secrets
kubectl get secrets

# Shell output:
NAME                     TYPE                     DATA   AGE
ssh-key-secret-example   kubernetes.io/ssh-auth   1      3s
# List secret details
kubectl describe secret ssh-key-secret-example

# Shell output:
Name:         ssh-key-secret-example
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/ssh-auth

Data
====
ssh-privatekey:  419 bytes

Pod: SSH Key Secret
#

The following pods starts an Alpine container and adds the SSH key from the secret into the “/root/.ssh” directory:

# Create pod configuratin
vi ssh-key-secret-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: ssh-pod-example
spec:
  containers:
  - name: alpine-container
    image: alpine
    command: ["sh", "-c", "mkdir -p /root/.ssh && sleep 3600"]
    volumeMounts:
    - name: ssh-key
      mountPath: "/root/.ssh"
      readOnly: true
  volumes:
  - name: ssh-key
    secret:
      secretName: ssh-key-secret-example
      defaultMode: 0400  # Sets permission to read-only
# Deploy the pod
kubectl create -f ssh-key-secret-pod.yaml

Verify the SSH Key inside the Container
#

# List pods
kubectl get pods

# Shell output:
NAME              READY   STATUS    RESTARTS   AGE
ssh-pod-example   1/1     Running   0          6s
# Exec the container shell
kubectl exec -it ssh-pod-example -c alpine-container -- /bin/ash
# Cat the SSH key
cat /root/.ssh/ssh-privatekey

Delete the Resources
#

# Delete the pod
kubectl delete pod ssh-pod-example

# Delete the secret
kubectl delete secret ssh-key-secret-example
Kubernetes-Components - This article is part of a series.
Part 12: This Article