Distribute credentials with Secrets

更新时间:
复制 MD 格式

When deploying applications, manage database passwords, API keys, and other sensitive data with Secrets instead of hard-coding credentials in application code. Store credentials in Secrets and distribute them to pods as volumes or environment variables.

Prerequisites

Before you begin, make sure you have:

Background

Pods can consume a Secret in two ways:

  • Mount the Secret as a volume to the pod.

  • Expose the Secret as environment variables for the pod.

See Kubernetes Secrets.

Create a Secret

These steps create a Secret named secret-test that stores a username and password.

Secret values must be Base64-encoded. To encode a value, run echo -n 'your-value' | base64.
  1. Log on to the ACK console and click Clusters in the left navigation pane.

  2. On the Clusters page, find the target cluster and click its name. In the left pane, choose Workloads > Deployments.

  3. On the Deployments page, click Create from YAML.

  4. Select Custom, paste the following YAML into the editor, and click Create.

    apiVersion: v1
    kind: Secret
    metadata:
      name: secret-test
    type: Opaque
    data:
      username: admin   # Must be Base64-encoded
      password: 12345   # Must be Base64-encoded

You can also manage Secrets with a form-based approach.

Mount a Secret as a volume

Each key in the Secret becomes a file in the mount directory, with the value as file content.

Use the CLI

This example mounts secret-test into a pod at /srt, making the username and password keys available as files.

Create a file named example0.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: pod0
spec:
  containers:
  - name: redis
    image: redis
    volumeMounts:
    - name: srt
      mountPath: "/srt"
      readOnly: true
  volumes:
  - name: srt
    secret:
      secretName: secret-test

Apply the manifest:

kubectl apply -f example0.yaml

Use the console

  1. Log on to the ACK console and click Clusters in the left navigation pane.

  2. On the Clusters page, find the target cluster and click its name. In the left pane, choose Workloads > Deployments.

  3. On the Deployments page, click Create from Image. See Create a stateless application by using a Deployment.

  4. On the Basic Information wizard page, configure the parameters and click Next.

  5. On the Container wizard page, go to the Volume section and click Add Local Storage. Set these fields, then click Next:

    Field Value
    PV Type Secret
    Mount Source The Secret created in Create a Secret
    Container Path Path where Secret files appear in the container

    Configure volume

  6. On the Advanced wizard page, configure remaining parameters and click Create.

Expose a Secret as environment variables

Each key-value pair in the Secret maps to an environment variable in the container.

Use the CLI

This example references the username and password keys from secret-test as environment variables USERNAME and PASSWORD in a pod.

Create a file named example1.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: pod1
spec:
  containers:
  - name: redis
    image: redis
    env:
      - name: USERNAME
        valueFrom:
          secretKeyRef:
            name: secret-test
            key: username
      - name: PASSWORD
        valueFrom:
          secretKeyRef:
            name: secret-test
            key: password

Apply the manifest:

kubectl apply -f example1.yaml

Use the console

  1. Log on to the ACK console and click Clusters in the left navigation pane.

  2. On the Clusters page, find the target cluster and click its name. In the left pane, choose Workloads > Deployments.

  3. On the Deployments page, click Create from Image. See Create a stateless application by using a Deployment.

  4. On the Basic Information wizard page, configure the parameters and click Next.

  5. On the Container wizard page, go to the Environments section and click Add. Set these fields for each environment variable:

    Field Value
    Type Secrets
    Variable name Environment variable name (e.g., USERNAME)
    Value/ValueFrom Select the Secret from Create a Secret and the key (username or password)

    Configure environment variables

  6. On the Advanced wizard page, configure remaining parameters and click Create.

Next steps

  • Manage Secrets — create, view, and delete Secrets in the ACK console

  • Secrets — Kubernetes official documentation on Secret types, immutability, and best practices