[Kubernetes Resources] Secret Encrypted Data Configuration Management Detailed Explanation

1. Theoretical knowledge of Secret encryption configuration

1. What is Secret?

The previous article explained the detailed explanation of ConfigMap resource ConfigMap configuration management center , which is used to store plaintext non-encrypted data, such as program configuration files and other information. ConfigMap cannot implement encryption. If we store sensitive information such as tokens, passwords, and secret keys, we need to use Secret type for encryption.

2. The difference between Secret and configMap

• ConfigMap: used to store civilized non-encrypted configuration information.
• Secret: Used to store encrypted data, such as passwords, tokens, and other information.

3. Secret parameters and types

Secret has three optional parameters:

• generic: Generic type, often used to store password data.
• tls: used to store private keys and certificates.
• docker-registry: used to store the authentication information of the docker warehouse.

Secret three types:

• Service Account: used to be referenced by serviceaccount. When serviceaccout is created, Kubernetes will create the corresponding secret by default. If the Pod uses serviceaccount, the corresponding secret will be automatically mounted to the /run/secrets/kubernetes.io/serviceaccount directory of the Pod.
• Opaque: Secret in base64 encoding format, used to store passwords, secret keys, etc. The original data can be obtained through base64 --decode decoding, so the security is weak
• kubernetes.io/dockerconfigjson: Used to store authentication information for private docker registries.

2. Practice: use Secret for encryption

1. Method 1: Importing environment variables

First, encrypt the username and password values ​​first:

echo admin|base64
echo NTQ34tg*@19VF-AdmiN|base64

Create var-secreta Secret named

cat varSecretConfig.yaml 

---
apiVersion: v1 
kind: Secret
metadata:
  name: var-secret
type: Opaque          # 指定加密方式
data:
  username: YWRtaW4K  # 值是加密后的
  password: TlRRMzR0ZypAMTlWRi1BZG1pTgo=

Create a Deployment resource using the busybox image and introduce Secret

cat vardeploy.yaml 
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vardemo
spec:
  replicas: 1
  selector:
    matchLabels:
      type: var
  template:
    metadata:
      labels:
        type: var
    spec:
      containers:
      - name: vardemo
        image: busybox:1.28.0
        imagePullPolicy: IfNotPresent
        command: ["/bin/sh", "-c", "sleep 36000"]
        env:
        - name: password
          valueFrom:
            secretKeyRef:
              name: var-secret
              key: password
        - name: username
          valueFrom:
            secretKeyRef:
              name: var-secret
              key: username

Execute the YAML file:

kubectl apply -f varSecretConfig.yaml 
kubectl apply -f vardeploy.yaml 

View the status of creating resources:

kubectl get pod -l type=var
kubectl get secret var-secret
kubectl describe secret var-secret

Enter the container to check whether the variable is successfully imported:

kubectl exec -it vardemo-5cf58dd664-vnv5q -- /bin/sh

echo $username
admin
echo $password
NTQ34tg*@19VF-AdmiN

2. Method 2: Introduction of volume mount method

Create volume-secreta Secret named

cat volumeSecretConfig.yaml 
---
apiVersion: v1 
kind: Secret
metadata:
  name: volume-secret
type: Opaque
data:
  username: YWRtaW4K
  password: TlRRMzR0ZypAMTlWRi1BZG1pTgo=

Create a deployment and introduce secret

cat volumedeploy.yaml 
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: volumedemo
spec:
  replicas: 1
  selector:
    matchLabels:
      type: volume
  template:
    metadata:
      labels:
        type: volume
    spec:
      volumes:
      - name: volume-secret
        secret:
          secretName: volume-secret  # 定义挂载卷
      containers:
      - name: volumedemo
        image: busybox:1.28.0
        imagePullPolicy: IfNotPresent
        command: ["/bin/sh", "-c", "sleep 36000"]
        volumeMounts:
        - name: volume-secret
          mountPath: /tmp 
          readOnly: true

Execute the YAML file:

kubectl apply -f volumeSecretConfig.yaml
kubectl apply -f volumedeploy.yaml	

Enter the container to view:

kubectl exec -it volumedemo-6dc47cff57-qstv4 -- /bin/sh

cat /tmp/password 
NTQ34tg*@19VF-AdmiN

cat /tmp/username 
admin