Deploying on Kubernetes #6: Application Secrets

Assumptions

Necessary Background

  1. Define Requirements
  2. Create the helm chart to manage the resources
  3. Add the MySQL and Redis dependencies
  4. Create a functional unit of software … sortof.
  5. Configure some of the software

Secrets

  • It’s a different object, so access can be limited via Role Based Access Control (RBAC)
  • The information is encoded in base64, so odd secret types (for example, pgp keys) can be embedded easily
  • It is possible to encrypt them such that only applications with the required identity can read them.

The secrets we need

# templates/configmap.yaml:14-1814     mysql:
address: {{ default "kolide-fleet-mysql:3306" .Values.fleet.mysql.address }}
username: {{ default "kolide" .Values.fleet.mysql.username }}
# Handled as a secret in an environment variable
# password: kolide
mysql.password
redis.password
auth.jwt_key

Reusing existing secrets

Stubbing Configuration

# values.yml:6-12mysql:
# This is a required value.
mysqlPassword: ""
redis:
# This is a required value.
redisPassword: ""
# templates/secret.yml:1-11---
apiVersion: "v1"
kind: "Secret"
metadata:
labels:
app: {{ template "fleet.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
heritage: "{{ .Release.Service }}"
release: "{{ .Release.Name }}"
name: {{ template "fleet.fullname" . }}
data:
# templates/secret.yml:11-14data:
fleet.mysql.username: {{ required "A valid MySQL Username is required" .Values.mysql.mysqlUser | b64enc }}
fleet.mysql.password: {{ required "A valid MySQL Password is required" .Values.mysql.mysqlPassword | b64enc }}
fleet.auth.jwt_key: {{ required "A valid JWT key is required" .Values.fleet.auth.jwt_key | b64enc }}
  1. All the secrets are wrapped in a required function. It allows us to denote to the user that this will automatically handled — please take care of it.
  2. All secrets are base64 encoded, as denoted by the specification
$ cat <<EOF > values.secret.yaml
---
mysql:
mysqlUser: "kolide"
mysqlPassword: $(pwgen 32 1)
redis:
redisPassword: $(pwgen 32 1)
fleet:
auth:
jwt_key: $(pwgen 32 1)
EOF
$ helm upgrade --install kolide-fleet --values values.yaml --values values.secret.yaml .

Consuming Configuration

# templates/deployment.yml:50-68      containers:
- name: fleet
env:
- name: "KOLIDE_AUTH_JWT_KEY"
valueFrom:
secretKeyRef:
name: {{ template "fleet.fullname" . }}
key: "fleet.auth.jwt_key"
- name: "KOLIDE_MYSQL_USERNAME"
valueFrom:
secretKeyRef:
name: {{ template "fleet.fullname" . }}
key: "fleet.mysql.username"
- name: "KOLIDE_MYSQL_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "fleet.fullname" . }}
key: "fleet.mysql.password"
image: {{ .Values.pod.fleet.image | quote }}

In summary

$ kubectl logs kolide-fleet-fleet-7c5f4999d7-9j6bt
Using config file: /etc/fleet/config.yml
################################################################################
# ERROR:
# Your Fleet database is not initialized. Fleet cannot start up.
#
# Run `fleet prepare db` to initialize the database.
################################################################################

--

--

--

See https://www.andrewhowden.com/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to write clean code

Defining Messaging Patterns

How To Decode Php Files That Encoded By Zend Encoderpro

Unpacking a Raw Packet | Ethernet Frame | Part -1

Think the problem reversely

Everything About Deploying A Node.js Application on AWS

️️Cleanup on aisle 1..n

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andrew Howden

Andrew Howden

See https://www.andrewhowden.com/

More from Medium

Strategies for setting up K8S cluster on Local Machine

The need for Kubernetes in DevOps

Kubernetes Day-2 Operations — Part III: Network & Traffic Management, Auto Scaling, Associating…

Decrease your Organization’s Carbon footprints using Kubernetes