Configure a pod to use a Secret - Container Compute Service

If your workload needs to connect to a backend database or verify the identity of a client, you need to store sensitive information in your cluster, such as usernames, passwords, and certificates. To prevent data leakage, we recommend that you store sensitive information in Secrets provided by Alibaba Cloud Container Compute Service (ACS). This topic describes how to create a Secret in the ACS console. This topic also describes how to mount a Secret as a volume to a pod and expose a Secret as environment variables for a pod.

Prerequisites

To mount a Secret as a volume to a pod, make sure that the Secret and pod belong to the same cluster and namespace.
A kubectl client is connected to the cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Create a Secret

The following example shows how to create a Secret named secret-test.

Log on to the ACS console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its ID. In the left-side pane, choose Workloads > Deployments.
On the Deployments page, click Create from YAML in the upper-right corner.

Select a template or Custom, copy the following YAML content to the editor, and then click Create.

The following YAML content is used to create a Secret named secret-test:

apiVersion: v1
kind: Secret
metadata:
  name: secret-test
type: Opaque
data:
  username: YWRtaW4=  # The Base64-encoded ciphertext, which is admin in plaintext.   
  password: MTIzNDU=  # The Base64-encoded ciphertext, which is 12345 in plaintext.

You can also create a Secret in the ACS console. For more information, see Create a Secret.

Mount the Secret as a volume to a pod

You can mount the Secret as a volume to a pod by using the following methods:

Use the CLI

A mounted Secret can be used as a file in a pod. In this example, the Secret secret-test that contains the username and password information is stored as a file in the /srt directory.

Create a file named example0.yaml and copy the following content to the file:

apiVersion: v1
kind: Pod
metadata:
  name: pod0
spec:
  containers:
  - name: redis
    image: redis
    volumeMounts:
    - name: srt
      mountPath: "/srt"
      readOnly: true
  volumes:
  - name: srt
    secret:
      secretName: secret-test

Run the following command to create a pod to which the Secret secret-test is mounted:
```
kubectl apply -f example0.yaml
```

Run the following command to check whether the Secret is mounted to the pod:

kubectl describe pod pod0 | grep -A 4 Volumes

Expected output:

Volumes:
  srt:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  secret-test
    Optional:    false

Use the ACS console

Log on to the ACS console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its ID. In the left-side pane, choose Workloads > Deployments.
On the Deployments page, click Create from Image.
Note
For more information, see Create a stateless application by using a Deployment.
On the Basic Information wizard page, configure the parameters and click Next.
On the Container wizard page, click Add Local Storage in the Volume section. Set PV Type to Secret, Mount Source to the Secret that you created in Create a Secret, and Container Path to the path to be accessed in the container. After you complete the configuration, click Next.
The following figure shows an example on how to configure the volume.
On the Advanced wizard page, configure the parameters and click Create.

Expose the Secret as environment variables for a pod

You can expose the Secret as environment variables for a pod by using the following methods:

Use the CLI

In this example, the username and password stored in the Secret secret-test are referenced in environment variables of a pod.

Create a file named example1.yaml and copy the following content to the file:

apiVersion: v1
kind: Pod
metadata:
  name: pod1
spec:
  containers:
  - name: redis
    image: redis
    env:
      - name: USERNAME
        valueFrom:
          secretKeyRef:
            name: secret-test
            key: username
      - name: PASSWORD
        valueFrom:
          secretKeyRef:
            name: secret-test
            key: password

Run the following command to create a pod to which the Secret secret-test is mounted:
```
kubectl apply -f example1.yaml
```

Run the following command to check whether the Secret is mounted to the pod:

kubectl describe pod pod1 | grep -A 2 Environment

Expected output:

    Environment:
      USERNAME:                 <set to the key 'username' in secret 'secret-test'>  Optional: false
      PASSWORD:                 <set to the key 'password' in secret 'secret-test'>  Optional: false

Use the ACS console

Log on to the ACS console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its ID. In the left-side pane, choose Workloads > Deployments.
On the Deployments page, click Create from Image in the upper-right corner.
Note
For more information, see Create a stateless application by using a Deployment.
On the Basic Information wizard page, configure the parameters and click Next.
On the Container wizard page, click in the Environments section. Set Type to Secrets, enter the name of the variable, and set Value/ValueFrom to the Secret that you created in Create a Secret and the username or password field in the Secret.
The following figure shows an example on how to configure the environment variables.