We recommend that you use Secrets to store sensitive information in Kubernetes clusters. The information includes passwords and certificates. This topic describes how to create a Secret in the Container Service for Kubernetes (ACK) console. This topic also describes how to mount a Secret as a volume to a pod and expose a Secret as an environment variable for a pod. You can perform the operations by using the console or a CLI.

Prerequisites

Background information

You can use a Secret in a pod in the following scenarios:
  • Mount a Secret as a volume to a pod.
  • Expose a Secret as an environment variable for a pod.

For more information about Secrets, see Secrets.

Create a Secret

The following example shows how to create a Secret named secret-test.

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the details page, choose Workloads > Deployments.
  5. On the Deployments page, click Create from YAML in the upper-right corner.
  6. Select a cluster and a namespace, select a sample template or enter a custom template, and then click Create.
    The following YAML template provides an example on how to create the Secret named secret-test:
    apiVersion: v1
    kind: Secret
    metadata:
      name: secret-test
    type: Opaque
    data:
      username: admin
      password: 12345  #Encode the password in Base64. 

For more information about how to create a Secret in the ACK console, see Manage Secrets.

Mount a Secret as a volume to a pod

You can mount a Secret as a volume to a pod by using the following methods:

Mount a Secret as a volume to a pod by using a CLI

A mounted Secret can be used as a file in a pod. In this example, the secret-test Secret that contains the username and password information is stored as a file under the /srt directory.

  1. Create an example0.yaml file and copy the following content into the file:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod0
    spec:
      containers:
      - name: redis
        image: redis
        volumeMounts:
        - name: srt
          mountPath: "/srt "
          readOnly: true
      volumes:
      - name: srt
        secret:
          secretName: secret-test
  2. Run the following command to create a pod to which the secret-test Secret is mounted:
    kubectl apply -f example0.yaml
    Note Replace example0.yaml with the name of the YAML file that is used.

Mount a Secret as a volume to a pod in the ACK console

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the details page, choose Workloads > Deployments.
  5. On the Deployments page, click Create from Image in the upper-right corner.
  6. On the Basic Information wizard page, set the parameters and click Next.
  7. On the Container wizard page, click Add Local Storage in the Volume section. Select Secret from the PV Type drop-down list, select the Secret that is created in Create a Secret from the Mount Source drop-down list, and specify a container path in the Container Path column. Click Next.

    The following figure shows an example on how to configure the volume.

    Configure the volume
  8. On the Advanced wizard page, set the parameters and click Create.

Expose a Secret as an environment variable for a pod.

You can mount a Secret as a volume to a pod by using the following methods:

Mount a Secret as a volume to a pod by using a CLI

In this example, the username and password stored in the secret-test Secret are referenced in an environment variable of a pod.

  1. Create an example1.yaml file and copy the following content into the file:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod1
    spec:
      containers:
      - name: redis
        image: redis
        env:
          - name: USERNAME
            valueFrom:
              secretKeyRef:
                name: secret-test
                key: username
          - name: PASSWORD
            valueFrom:
              secretKeyRef:
                name: secret-test
                key: password
  2. Run the following command to configure an environment variable:
    kubectl apply -f  example1.yaml
    Note Replace example1.yaml with the name of the YAML file that is used.

Mount a Secret as a volume to a pod in the ACK console

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the details page, choose Workloads > Deployments.
  5. On the Deployments page, click Create from Image in the upper-right corner.
  6. On the Basic Information wizard page, set the parameters and click Next.
  7. On the Container wizard page, click Environment variable in the Environments section. In this example, select Secret from the Type drop-down list and select the Secret that is created in Create a Secret from the Value/ValueFrom drop-down list. After you select the Secret, you must specify the key of the key-value pair that you want to reference and specify a name for the environment variable.

    The following figure shows an example on how to configure the volume.

    Variable name
  8. On the Advanced wizard page, set the parameters and click Create.