Configure a pod to use a Secret - Container Service for Kubernetes

We recommend that you use Secrets to store sensitive information in Kubernetes clusters. The information includes passwords and certificates. This topic describes how to create a Secret in the Container Service for Kubernetes (ACK) console. This topic also describes how to mount a Secret as a volume to a pod and expose a Secret as environment variables for a pod. You can perform the operations by using the console or CLI.

Prerequisites

To mount a Secret as a volume to a pod, make sure that the Secret and pod belong to the same cluster and namespace.
A kubectl client is connected to the cluster.

Background information

You can use a Secret in a pod in the following scenarios:

Mount the Secret as a volume to the pod.
Expose the Secret as environment variables for the pod.

For more information about Secrets, see Secrets.

Create a Secret

The following example shows how to create a Secret named secret-test.

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Deployments in the left-side navigation pane.
On the Deployments page, click Create from YAML in the upper-right corner.
Select a template or Custom, copy the following YAML content to the editor, and then click Create.
The following YAML content is used to create a Secret named secret-test:
```
apiVersion: v1
kind: Secret
metadata:
  name: secret-test
type: Opaque
data:
  username: admin
  password: 12345  #The value must be encoded in Base64.
```

You can also use the web interface to create a Secret. For more information, see Manage Secrets.

Mount the Secret as a volume to a pod

You can mount the Secret as a volume to a pod by using the following methods:

Use the CLI

A mounted Secret can be used as a file in a pod. In this example, the Secret secret-test that contains the username and password information is stored as a file in the /srt directory.

Create a file named example0.yaml and copy the following content to the file:

apiVersion: v1
kind: Pod
metadata:
  name: pod0
spec:
  containers:
  - name: redis
    image: redis
    volumeMounts:
    - name: srt
      mountPath: "/srt"
      readOnly: true
  volumes:
  - name: srt
    secret:
      secretName: secret-test

Run the following command to create a pod to which the Secret secret-test is mounted:
```
kubectl apply -f  example0.yaml
```
Note
Replace example0.yaml with the name of the YAML file that is used.

Use the console

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Deployments in the left-side navigation pane.
On the Deployments page, click Create from Image.
For more information, see Create a stateless application by using a Deployment.
On the Basic Information wizard page, configure the parameters and click Next.
On the Container wizard page, click Add Local Storage in the Volume section. Set PV Type to Secret, Mount Source to the Secret that you created in Create a Secret, and Container Path to the path to be accessed in the container. After you complete the configuration, click Next.
The following figure shows an example on how to configure the volume.
On the Advanced wizard page, configure the parameters and click Create.

Expose the Secret as environment variables for a pod.

You can expose the Secret as environment variables for a pod by using the following methods:

Use the CLI

In this example, the username and password stored in the Secret secret-test are referenced in environment variables of a pod.

Create a file named example1.yaml and copy the following content to the file:

apiVersion: v1
kind: Pod
metadata:
  name: pod1
spec:
  containers:
  - name: redis
    image: redis
    env:
      - name: USERNAME
        valueFrom:
          secretKeyRef:
            name: secret-test
            key: username
      - name: PASSWORD
        valueFrom:
          secretKeyRef:
            name: secret-test
            key: password

Run the following command to configure environment variables:
```
kubectl apply -f  example1.yaml
```
Note
Replace example1.yaml with the name of the YAML file that is used.

Use the console

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Deployments in the left-side navigation pane.
On the Deployments page, click Create from Image in the upper-right corner.
For more information, see Create a stateless application by using a Deployment.
On the Basic Information wizard page, configure the parameters and click Next.
On the Container wizard page, click in the Environments section. Set Type to Secrets, enter the name of the variable, and set Value/ValueFrom to the Secret that you created in Create a Secret and the username or password stored in the Secret.
The following figure shows an example on how to configure the environment variables.