I am trying to learn Google Kubernetes Engine. I am deploying a web app in Node.js on a cluster containing 6 sensitive environment variables. Locally I have them in an .env file that I have .gitignored. I push the code to github which creates a container on Cloud Build through a trigger.
I am using the graphical user interface of GCP (i.e not Kubectl, gsutil or the likes of it). I am also doing it without Yaml-files. This works perfectly fine for now.
However, I am troubleshooting an issue which makes me having to deploy new workloads all the time, and as such I need to add those environmental variables every time, which is quite tedious.
I understand the solution is to do it either using gsutil and/or use yaml-files. I know I will have to start using gsutil and yaml at some point, and maybe that is now.
However, I wonder if I put environmental variables in a yaml-file that I push to github and further on to GCP, I obviously cannot gitignore it. How, then, do I keep the passwords etc outside of the code base? I moved these variables from the code into environmental variables for that reason.
What is common/good practise to work with environmental variables on GCP - in a easy and safe manner?
CodePudding user response:
What is common/good practise to work with environmental variables on GCP - in a easy and safe manner?
Very easy documentation : https://cloud.google.com/kubernetes-engine/docs/concepts/secret
You should be using the Key-value store or other Key value management service.
Kubernetes suggest the best practice is to use the K8s secret and configmap which is base64 encoded key-value pair. That you applied to K8s cluster using YAML and which further get injected to deployment and application get it from the environment.
Either you inject variables into environment variables or inject as files into file system from where further used by the application.
You can check more at : https://kubernetes.io/docs/concepts/configuration/secret/
Basic example secret injecting as Environment:
apiVersion: v1
kind: Pod
metadata:
name: secret-env-pod
spec:
containers:
- name: mycontainer
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
You store files into secret and that secret base64 encoded injected to deployment and add file there in the filesystem. Once your application starts it start using a file from that file.
Basic example secret injecting as File into file system:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
volumes:
- name: foo
secret:
secretName: mysecret
Now it's on you which type of Environment variables you have, if it's simple Key-value or .env etc.
If it's simple Keyvalue, you are looking for encryption at rest, security and other access policy, and UI to update secret.
i would recommend checking out the Hashicorp vault famous and used by many enterprises. Using this you can encrypt the secret and inject it into the deployment. But you need deploy and manage this workload it's not managed service like secret manager or so.
i am not an employee of Google but you are on GKE i would also suggest checking out the Secret manager or KMS which can manage your secret.
Article : https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets
Github CSI driver : https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp
If you have no concerns with encoding and those are not important secrets you can use default inbuilt K8s secret.
On committing YAML file side, if you are using Vault or secret manager you won't have to manage secret in YAML file or deployment YAML won't be storing any confidential secrets.