Today’s short post is about Kubernetes secrets, and is more of a note to self than an intend to make others aware. I did take it upon myself to explain what secrets are and options.
A kubernetes secret is a handy way to keep your secure data stored: password, license keys, AuthToken, etc. Keeping data stored in k8s secrets alone doesn’t make it secure enough in some cases, but it is better than putting this values in a image definition. There are other solution that can work better depending on your needs, I will not go into any further details than just mentioning other options. The intention of this post is to cover the usage of secrets in Kubernetes.
- K8S Secrets by Kubernetes
- Vault by Hashicorp
- SecertHub by SecretHub (company founded Q3 2018)
- Secret Manager by Google
- B3rg1la$ by Google (I think?) is a CommandLineTool to facilitate the storage of Secrets using Cloud KMS and Cloud storage
- AWS Secret Manager by AWS
- just to mention a few..
Create a K8S secret
When using helm chart to install a software it oftens refers/requires certain secret, creating a secret is well documented here: https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret-manually
Retrieving a K8S secret (this is the notetoself)
In some cases the helm charts will create the secret for you as it is in the case when you use the Gitea or Jenkins charts. To find out the password in this case you can use
kubectl get secrets --all-namespaces
kubectl get secrets jenkins -n jenkins -o yamlThe oputput will be something like:
apiVersion: v1 data: jenkins-admin-password: UzBvbWVQYXNzdzByZCNOb3RUaDFTCg== jenkins-admin-user: YWRtaW4= kind: Secret metadata: creationTimestamp: 2020-08-13T14:38:20Z labels: app.kubernetes.io/component: jenkins-master app.kubernetes.io/instance: jenkins app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: jenkins helm.sh/chart: jenkins-2.5.0 name: jenkins namespace: jenkins resourceVersion: "2759937" selfLink: /api/v1/namespaces/jenkins/secrets/jenkins uid: 9a46b5ab-0acd-448e-b7c5-37d6a18c7960
echo -n UzBvbWVQYXNzdzByZCNOb3RUaDFTCg== |base64 -DWill display the secret in text value. Do not forget the
-nfor the echo command as it removes the newline character at the end