Creating secrets from files

We'll begin by using the file method of creating secrets. Let's say that you need to store a URL and a secret token for accessing an API. To achieve this, you'll need to follow these steps:

  1. Store the URL in apiurl.txt, as follows:
echo "https://my-secret-url-location.topsecret.com" > secreturl.txt
  1. Store the token in another file, as follows:
echo '/x~Lhx
Az!,;.Vk%[#n+";9p%jGF6[' > secrettoken.txt
  1. Let Kubernetes create the secrets from the files, as follows:
kubectl create secret generic myapi-url-token --from-file=./secreturl.txt --from-file=./secrettoken.txt

The most interesting argument in the preceding command is the secret type, which we specify as generic. There are three secret types defined in Kubernetes:

    • docker-registry: This is used with the Docker registry; this is very important when you have to pull images from a private repository.
    • generic: This is the one that we used previously; it creates secrets from files, directories, or literal values.
    • tls: This is used to store SSL certificates that, for example, can be used in ingress.

The command should return the following output:

secret/myapi-url-token created
  1. We can check whether the secrets were created in the same way as any other Kubernetes resource by using the get command:
kubectl get secrets

This command will return the following output:

NAME                  TYPE                      DATA   AGE
defa...   kubernetes.io/service-account-token   3      4d2h
myapi-url-token       Opaque                    2      2m14s

Opaque means that, from Kubernetes' perspective, the schema of the contents are unknown. It is an arbitrary key-value pair with no constraints, as opposed to the Docker-registry TLS secrets that will be verified as having the required details.

  1. For more details about the secrets, you can also run the describe command:
kubectl describe secrets/myapi-url-token

Notice that you give the token name if you only need a specific secret value. kubectl describe secrets will give more details on all the secrets in a namespace.

You will get the following output:

Name:         myapi-url-token
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
secrettoken.txt:  32 bytes
secreturl.txt:    45 bytes

Note that both the preceding commands did not display the actual secret values.

  1. To get the secrets, run the following command:
kubectl get -o yaml secrets/myapi-url-token

You will get the following output:

apiVersion: v1
data:
  secrettoken.txt: L3h+TGh4XG5BeiEsOy5WayVbI24rIjs5cCVqR0Y2Wwo=
  secreturl.txt: aHR0cHM6Ly9teS1zZWNyZXQtdXJsLWxvY2F0aW9uLnRvcHNlY3JldC5jb20K
kind: Secret
...

The data is stored as key-value pairs, with the filename as the key and the base64encoded contents of the file as the value.

  1. The preceding values are base64 encoded. To get the actual values, run the following command:
#get the token value
echo 'L3h+TGh4XG5BeiEsOy5WayVbI24rIjs5cCVqR0Y2Wwo=' | base64 -d

You will get the value that was originally entered, as follows:

/x~Lhx
Az!,;.Vk%[#n+";9p%jGF6[
  1. Similarly, for the url value, you can run the following command:
#get the url value
echo 'aHR0cHM6Ly9teS1zZWNyZXQtdXJsLWxvY2F0aW9uLnRvcHNlY3JldC5jb20K' | base64 -d

You will get the originally entered url value, as follows:

https://my-secret-url-location.topsecret.com

In this section, we were able to encode the URL with a secret token and get the actual secret values back using files.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset