====== Gerenciar Secrets no Kubernetes ======
$ echo -n 'usuario' > username.txt
$ echo -n 'senha' > password.txt
$ kubectl create secret generic mysql-secrets --from-file=username.txt --from-file=password.txt
secret/mysql-secrets created
$ kubectl get secrets
NAME TYPE DATA AGE
default-token-b4j7z kubernetes.io/service-account-token 3 4d15h
mysql-secrets Opaque 2 93s
$ kubectl delete secret mysql-secrets
secret "mysql-secrets" deleted
$ kubectl create secret generic mysql-secrets --from-literal=username=usuario --from-literal=password=senha
secret/mysql-secrets created
$ kubectl delete secret mysql-secrets
secret "mysql-secrets" deleted
$ echo 'senha' | base64
c2VuaGEK
$ echo 'c2VuaGEK' | base64 --decode
senha
$ cat mysql-secrets.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: mysql-secrets
type: Opaque
data:
mysql-root-password: NGxpbnV4
mysql-user: c3Vwb3J0ZQ==
mysql-password: NGxpbnV4
* **type: Opaque**: Define que do ponto de vista do kubernetes, o conteúdo deste Secret não é estruturado
$ kubectl apply -f mysql-secrets.yaml
secret/mysql-secrets created
$ kubectl describe secret mysql-secrets
Name: mysql-secrets
Namespace: default
Labels:
Annotations:
Type: Opaque
Data
====
mysql-password: 6 bytes
mysql-root-password: 6 bytes
mysql-user: 7 bytes
$ cat pod-secrets.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-secrets
spec:
containers:
- name: mysql
image: mysql:5.6
imagePullPolicy: IfNotPresent
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secrets
key: mysql-root-password
- name: MYSQL_USER
valueFrom:
secretKeyRef:
name: mysql-secrets
key: mysql-user
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secrets
key: mysql-password
* **env**: Define variáveis de ambiente dentro do container.
* **secretKeyRef**: Define o nome e chave de um Secret.
$ kubectl apply -f pod-secrets.yaml
pod/pod-secrets created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-secrets 1/1 Running 0 30s
$ kubectl exec -it pod-secrets -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
TERM=xterm
HOSTNAME=pod-secrets
MYSQL_ROOT_PASSWORD=4linux
MYSQL_USER=suporte
MYSQL_PASSWORD=4linux
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
GOSU_VERSION=1.12
MYSQL_MAJOR=5.6
MYSQL_VERSION=5.6.51-1debian9
HOME=/root
$ kubectl get po pod-secrets -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod-secrets 1/1 Running 0 3m42s 172.16.213.135 kube-worker-02.juntotelecom.com.br
$ export POD=$(kubectl get po pod-secrets -o wide | awk -F" " '{print $6}' | tail -1)
$ kubectl exec -it pod-secrets -- bash
root@pod-secrets:/# mysql -u suporte -p4linux
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.6.51 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.00 sec)
mysql> quit
Bye
root@pod-secrets:/# exit
exit
$ kubectl delete -f mysql-secrets.yaml,pod-secrets.yaml
secret "mysql-secrets" deleted
pod "pod-secrets" deleted