We'll begin by using the file method of creating secrets. Let's say that you need to store a URL and a secret token for accessing an API. To achieve this, you'll need to follow these steps:
- Store the URL in apiurl.txt, as follows:
echo "https://my-secret-url-location.topsecret.com" > secreturl.txt
- Store the token in another file, as follows:
echo '/x~Lhx Az!,;.Vk%[#n+";9p%jGF6[' > secrettoken.txt
- Let Kubernetes create the secrets from the files, as follows:
kubectl create secret generic myapi-url-token --from-file=./secreturl.txt --from-file=./secrettoken.txt
The most interesting argument in the preceding command is the secret type, which we specify as generic. There are three secret types defined in Kubernetes:
-
- docker-registry: This is used with the Docker registry; this is very important when you have to pull images from a private repository.
- generic: This is the one that we used previously; it creates secrets from files, directories, or literal values.
- tls: This is used to store SSL certificates that, for example, can be used in ingress.
The command should return the following output:
secret/myapi-url-token created
- We can check whether the secrets were created in the same way as any other Kubernetes resource by using the get command:
kubectl get secrets
This command will return the following output:
NAME TYPE DATA AGE
defa... kubernetes.io/service-account-token 3 4d2h
myapi-url-token Opaque 2 2m14s
Opaque means that, from Kubernetes' perspective, the schema of the contents are unknown. It is an arbitrary key-value pair with no constraints, as opposed to the Docker-registry TLS secrets that will be verified as having the required details.
- For more details about the secrets, you can also run the describe command:
kubectl describe secrets/myapi-url-token
Notice that you give the token name if you only need a specific secret value. kubectl describe secrets will give more details on all the secrets in a namespace.
You will get the following output:
Name: myapi-url-token
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
secrettoken.txt: 32 bytes
secreturl.txt: 45 bytes
Note that both the preceding commands did not display the actual secret values.
- To get the secrets, run the following command:
kubectl get -o yaml secrets/myapi-url-token
You will get the following output:
apiVersion: v1
data:
secrettoken.txt: L3h+TGh4XG5BeiEsOy5WayVbI24rIjs5cCVqR0Y2Wwo=
secreturl.txt: aHR0cHM6Ly9teS1zZWNyZXQtdXJsLWxvY2F0aW9uLnRvcHNlY3JldC5jb20K
kind: Secret
...
The data is stored as key-value pairs, with the filename as the key and the base64encoded contents of the file as the value.
- The preceding values are base64 encoded. To get the actual values, run the following command:
#get the token value
echo 'L3h+TGh4XG5BeiEsOy5WayVbI24rIjs5cCVqR0Y2Wwo=' | base64 -d
You will get the value that was originally entered, as follows:
/x~Lhx Az!,;.Vk%[#n+";9p%jGF6[
- Similarly, for the url value, you can run the following command:
#get the url value
echo 'aHR0cHM6Ly9teS1zZWNyZXQtdXJsLWxvY2F0aW9uLnRvcHNlY3JldC5jb20K' | base64 -d
You will get the originally entered url value, as follows:
https://my-secret-url-location.topsecret.com
In this section, we were able to encode the URL with a secret token and get the actual secret values back using files.