kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #21167 from sftim/20200525_fix_distribute_credentials_secure 

Fix incorrect Markdown in “Distribute Credentials Securely Using Secrets”
pull/21708/head
Kubernetes Prow Robot 2020-06-12 22:57:57 -07:00 committed by GitHub
parent 664a7fc6e6 e6537e4043
commit eff3b7178e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 61 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
content/en/docs/tasks/inject-data-application/distribute-credentials-secure.md
View File

@ -15,11 +15,7 @@ encryption keys, into Pods.
{{< include "task-tutorial-prereqs.md" >}}
<!-- steps -->
## Convert your secret data to a base-64 representation
### Convert your secret data to a base-64 representation
Suppose you want to have two pieces of secret data: a username `my-app` and a password
`39528$vdg7Jb`. First, use a base64 encoding tool to convert your username and password to a base64 representation. Here's an example using the commonly available base64 program:
@ -36,6 +32,8 @@ and the base-64 representation of your password is `Mzk1MjgkdmRnN0pi`.
Use a local tool trusted by your OS to decrease the security risks of external tools.
{{< /caution >}}
<!-- steps -->
## Create a Secret
Here is a configuration file you can use to create a Secret that holds your
@ -84,15 +82,19 @@ username and password:
username: 7 bytes
```
{{< note >}}
If you want to skip the Base64 encoding step, you can create a Secret
by using the `kubectl create secret` command:
{{< /note >}}
### Create a Secret directly with kubectl
If you want to skip the Base64 encoding step, you can create the
same Secret using the `kubectl create secret` command. For example:
```shell
kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='39528$vdg7Jb'
kubectl create secret generic test-secret --from-literal='username=my-app' --from-literal='password=39528$vdg7Jb'
```
This is more convenient. The detailed approach shown earlier runs
through each step explicitly to demonstrate what is happening.
## Create a Pod that has access to the secret data through a Volume
Here is a configuration file you can use to create a Pod:
@ -112,38 +114,37 @@ Here is a configuration file you can use to create a Pod:
```
Output:
```shell
```
NAME READY STATUS RESTARTS AGE
secret-test-pod 1/1 Running 0 42m
```
1. Get a shell into the Container that is running in your Pod:
```shell
kubectl exec -it secret-test-pod -- /bin/bash
kubectl exec -i -t secret-test-pod -- /bin/bash
```
1. The secret data is exposed to the Container through a Volume mounted under
`/etc/secret-volume`. In your shell, go to the directory where the secret data
is exposed:
```shell
root@secret-test-pod:/# cd /etc/secret-volume
```
`/etc/secret-volume`.
1. In your shell, list the files in the `/etc/secret-volume` directory:
In your shell, list the files in the `/etc/secret-volume` directory:
```shell
root@secret-test-pod:/etc/secret-volume# ls
# Run this in the shell inside the container
ls /etc/secret-volume
```
The output shows two files, one for each piece of secret data:
```shell
```
password username
```
1. In your shell, display the contents of the `username` and `password` files:
```shell
root@secret-test-pod:/etc/secret-volume# cat username; echo; cat password; echo
# Run this in the shell inside the container
echo "$( cat /etc/secret-volume/username )"
echo "$( cat /etc/secret-volume/password )"
```
The output is your username and password:
```shell
```
my-app
39528$vdg7Jb
```
@ -171,11 +172,11 @@ is exposed:
* In your shell, display the content of `SECRET_USERNAME` container environment variable
```shell
kubectl exec -it env-single-secret -- /bin/sh -c 'echo $SECRET_USERNAME'
kubectl exec -i -t env-single-secret -- /bin/sh -c 'echo $SECRET_USERNAME'
```
The output is
```shell
```
backend-admin
```
@ -201,10 +202,10 @@ is exposed:
* In your shell, display the container environment variables
```shell
kubectl exec -it envvars-multiple-secrets -- /bin/sh -c 'env | grep _USERNAME'
kubectl exec -i -t envvars-multiple-secrets -- /bin/sh -c 'env | grep _USERNAME'
```
The output is
```shell
```
DB_USERNAME=db-admin
BACKEND_USERNAME=backend-admin
```
@ -234,29 +235,23 @@ This functionality is available in Kubernetes v1.6 and later.
* In your shell, display `username` and `password` container environment variables
````shell
kubectl exec -it envfrom-secret -- /bin/sh -c 'echo "username: $username\npassword: $password"'
````
```shell
kubectl exec -i -t envfrom-secret -- /bin/sh -c 'echo "username: $username\npassword: $password\n"'
```
The output is
````shell
```
username: my-app
password: 39528$vdg7Jb
````
```
## {{% heading "whatsnext" %}}
* Learn more about [Secrets](/docs/concepts/configuration/secret/).
* Learn about [Volumes](/docs/concepts/storage/volumes/).
### Reference
### References
* [Secret](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#secret-v1-core)
* [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core)
* [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)
## {{% heading "whatsnext" %}}
* Learn more about [Secrets](/docs/concepts/configuration/secret/).
* Learn about [Volumes](/docs/concepts/storage/volumes/).