Creating and Deploying Secrets (cont.)

This workshop has been deprecated and archived. The new Amazon EKS Workshop is now available at www.eksworkshop.com.

Exposing Secrets as Volumes

Secrets can be also mounted as data volumes on to a Pod and you can control the paths within the volume where the Secret keys are projected using a Pod manifest as shown below:


apiVersion: v1
kind: Pod
metadata:
  name: someName
  namespace: someNamespace
spec:
  containers:
  - name: someContainer
    image: someImage
    volumeMounts:
    - name: secret-volume
      mountPath: "/etc/data"
      readOnly: true
  volumes:
  - name: secret-volume
    secret:
      secretName: database-credentials
      items:
      - key: username
        path: DATABASE_USER 
      - key: password
        path: DATABASE_PASSWORD 

With the above configuration, what will happen is:

  • value for the username key in the database-credentials Secret is stored in the file /etc/data/DATABASE_USER within the Pod
  • value for the password key is stored in the file /etc/data/DATABASE_PASSWORD

Run the following set of commands to deploy a pod that mounts the database-credentials Secret as a volume.

wget https://eksworkshop.com/beginner/200_secrets/secrets.files/pod-volume.yaml
kubectl apply -f pod-volume.yaml
kubectl get pod -n octank

View the output logs from the pod to verfiy that the files /etc/data/DATABASE_USER and /etc/data/DATABASE_PASSWORD within the Pod have been loaded with the expected literal values

kubectl logs pod-volume -n octank

The output should look as follows:


cat /etc/data/DATABASE_USER
admin
cat /etc/data/DATABASE_PASSWORD
Tru5tN0!