Kubernetes provides a neat concept for managing sensitive pieces of data, the Secret
A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in a container image. Using a Secret means that you don’t need to include confidential data in your application code.
Secret text is by default base64 encoded. For this reason it’s recommended that secret definitions are not published to git.
A sample configuration:
apiVersion v1 kind: Secret metadata: name: postgres-secrets namespace: bencode type: Opaque data: username: cG9zdGdyZXMK #postgres password: cGFzc3dvcmQK #password --- apiVersion: v1 kind: Pod metadata: name: secret-env-pod spec: containers: - name: awesome-db image: postgres:latest env: - name: POSTGRES_USER valueFrom: secretKeyRef: name: postgres-secrets key: username - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: postgres-secrets key: password restartPolicy: Never
I recently wasted several hours troubleshooting Pods that had environment bound to opaque passwords. Here’s how I base64 encoded things:
echo password | base64
Turns out this is WRONG, as
echo by default will emit line endings. This issue is rather tough to troubleshoot, as echoing out the environment variables from within the running Pods, everything appears to be in order.
The correct way to encode:
echo -n password | base64