From Settings to Startup: Managing Configuration and Initialization in Kubernetes
Kubernetes Secrets: Setting Sensitive Configurations
Secrets are like ConfigMaps, but they are specifically designed to store sensitive information, such as passwords, tokens, and keys. Another difference is that the data in Secrets is base64-encoded, which provides a basic level of obfuscation (not encryption). Secrets are also encrypted when stored in etcd, unlike ConfigMaps.
To create a Secret for our SIGNING_KEY, we need to encode the value using base64. We can do this using the echo command and the | base64 pipe.
echo -n 'my_secret_signing_key' | base64
The result should be:
bXlfc2VjcmV0X3NpZ25pbmdfa2V5
Encoding, as said, is not a form of encryption; it's just a way to represent binary data and special characters in a text format. Since:
- Base64 encoding transforms any input into a string that consists of only printable characters (A-Z, a-z, 0-9, +, /, and = for padding).
- Kubernetes YAML files are text-based and may not handle special or binary characters well.
Encoding enables us to safely include sensitive data in Kubernetes manifests without worrying about formatting issues or misinterpretation of special characters. The obfuscation feature of Base64 encoding is a bonus!
We can create a Secret manifest like this:
cat < kubernetes/hmac-secret.yaml
apiVersion: v1
kind: Secret
metadataCloud-Native Microservices With Kubernetes - 2nd Edition
A Comprehensive Guide to Building, Scaling, Deploying, Observing, and Managing Highly-Available Microservices in KubernetesEnroll now to unlock all content and receive all future updates for free.