I am just wondering to know what is the result of running the following command?
kubectl create secret generic NAME [--from-literal=key1=value1]
Should we run it inside a specific file of the project?
Where does it save the result of running this command and how the application uses it's result?
CodePudding user response:
A Secret is a way of storing information in Kubernetes.
Where does it save the result of running this command
When you run that kubectl create secret command, it will create a Secret resource in your current namespace. If you're unsure what namespace you're currently configured to use, you can view it by running:
$ kubectl config get-contexts $(kubectl config current-context) | awk '{print $NF}'
NAMESPACE
default
How does the application uses it's result?
You can make the information in a secret available to an application in several ways:
- You can expose Secret values as environment variables
- You can mount Secrets as files on the filesystem
- You can retrieve secrets via the Kubernetes API
The linked documentation contains examples that show what this looks like in practice.
CodePudding user response:
This command will create a secret with the data key, key1 and its respective value, value1 in the default namespace.
Should we run it inside a specific file of the project?
For this command, no, it does not matter. This is an imperative command, so in this instance it does not matter where you are on your machine when you run this command. Imperative commands provide all of the resources with your command, in this case a secret with the key key1 and its respective value. The command is not referencing any files in your project, so you can run this from anywhere.
You can contrast this to a similar resource creation command that provides the resource the declarative way:
kubectl apply -f my-file.yaml
this command says to take the resource in the file and create or update the resource - but I need to supply the path to the file, so it would matter in this instance.
Where does it save the result of running this command
A request will be sent to the api-server which will try to create the object. Kubernetes will now include this object as part of its desired state, it will be stored in etcd. You can read more about the Kubernetes components in their docs - but insofar as it is relevant for this question, the secret object now exists in the cluster which is scoped to the default namespace.
Secrets are namespaced objects. This means if you want a pod to use the secret it will need to be in the same namespace as the secret. Your command in the question will create a secret in the 'default' namespace. This also means that anyone with access to the default namespace also can access the secret.
to view your secret you can run
kubectl get secret
if you want to see your data in it
kubectl get secret -o yaml
and how the application uses it's result?
There are a number of ways to consume secrets. Here is a example of how to set an env var from key1 in the secret data on a container for use.
note: this snippet only shows a section of a valid yaml template for a deployment which shows a container, named app, it's image and envs.
...
- name: app
image: your-app
env:
- name: NAME
valueFrom:
secretKeyRef:
name: name
key: key1
optional: false # same as default; "name" must exist
# and include a key named "username"
...
(kubernetes secret docs) https://kubernetes.io/docs/concepts/configuration/secret/