In Kubernetes, secrets are used to securely store sensitive information such as passwords, API keys, and certificates. By adding secrets to your deployments, you can ensure that sensitive data is protected and accessed securely. In this blog post, we will explore how to add a secret to a Kubernetes deployment using the kubectl patch command, with a specific example using Nginx.
Prerequisites:
Before we begin, make sure you have the following prerequisites in place:
- Kubernetes cluster up and running.
- kubectl command-line tool installed and configured to connect to your cluster.
Step 1: Create a Secret
First, let’s create a secret that contains the sensitive data we want to add to our deployment. In this example, we’ll create a secret to store an SSL certificate for Nginx.
Create a file called nginx-secret.yaml and add the following content:
apiVersion: v1
kind: Secret
metadata:
name: nginx-secret
type: Opaque
data:
tls.crt: <base64-encoded-certificate-data>
tls.key: <base64-encoded-key-data>
Replace and with the base64-encoded values of your SSL certificate and key, respectively.
Save the file and apply the secret to your cluster using the following command:
kubectl apply -f nginx-secret.yaml
Step 2: Update the Deployment
Next, we’ll update the deployment to include a reference to the secret we created. Open a terminal and run the following command:
kubectl patch deployment nginx-deployment -n ns1 --type='json' -p='[{"op": "add", "path": "/spec/template/spec/volumes", "value": [{"name": "nginx-secret-volume","secret": {"secretName": "nginx-secret"}}]}]'
In the above command:
- nginx-deployment is the name of your deployment.
- ns1 is the namespace where the deployment resides.
- nginx-secret-volume is the name of the volume that will be mounted in the deployment.
- nginx-secret is the name of the secret we created earlier.
The kubectl patch command updates the deployment’s JSON specification to include the new volume mount.
Step 3: Mount the Secret in the Deployment
Now that we have added the volume reference to the deployment, we need to mount it into the container running Nginx.
Edit your deployment YAML file (e.g., nginx-deployment.yaml) and add the following volumeMounts section under the containers section:
spec:
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80
volumeMounts:
- name: nginx-secret-volume
mountPath: /etc/nginx/certs
Save the file and apply the changes to your deployment:
kubectl apply -f nginx-deployment.yaml
The deployment will be updated, and the Nginx container will mount the secret as a volume at the specified path.
Conclusion
By following these steps, you have successfully added a secret to a Kubernetes deployment using the kubectl patch command. This approach allows you to securely store sensitive information and make it available to your application pods without exposing the actual data in your deployment YAML files. Secrets provide an essential layer of security for managing confidential information in your Kubernetes clusters.
Remember to always handle secrets with caution, ensuring proper access controls and encryption practices to maintain the integrity and confidentiality of your sensitive data in your Kubernetes deployments.
