Kubernetes about secrets and how to consume them in pods

11/21/2016

I am using GCP Container Engine in my project and now i am facing some issue that i don't know if it can be solved via secrets.

One of my deployments is node-js app server, there i use some npm modules which require my GCP service account key (.json file) as an input. The input is the path where this json file is located. Currently i managed to make it work by providing this file as part of my docker image and then in the code i put the path to this file and it works as expected. The problem is that i think that it is not a good solution because i want to decouple my nodejs image from the service account key because the service account key may be changed (e.g. dev,test,prod) and i will not be able to reuse my existing image (unless i will build and push it to a different registry) So i wanted to know if it is possible to upload this service account json file as secret and then consume it inside my pod. I saw it is possible to create secrets out of files but i don't know if it is possible to specify the path to the place where this json file is stored. If it is not possible with secrets (because maybe secrets are not saved in files...) so how (and if) it can be done?

Thanks in advanced!

-- Ran Hassid
google-kubernetes-engine
kubectl
kubernetes

2 Answers

11/21/2016

I think you deploy on GKE/GCE, you don't need the key and it's going to work fine.

I've only tested with Google Cloud Logging but it might be the same for other services as well.

Eg: i only need the below when deploying app on gke/gce

var loggingClient = logging({
    projectId: 'grape-spaceship-123'
});
-- Tuan Anh Tran
Source: StackOverflow

11/22/2016

You can make your json file a secret and consume in your pod. See the following link for secrets (http://kubernetes.io/docs/user-guide/secrets/), but I'll summarize next:

First create a secret from your json file:

kubectl create secret generic nodejs-key --from-file=./key.json 

Now that you've created the secret, you can consume in your pod (in this example as a volume):

{
 "apiVersion": "v1",
 "kind": "Pod",
  "metadata": {
    "name": "nodejs"
  },
  "spec": {
    "containers": [{
      "name": "nodejs",
      "image": "node",
      "volumeMounts": [{
        "name": "foo",
        "mountPath": "/etc/foo",
        "readOnly": true
      }]
    }],
    "volumes": [{
      "name": "foo",
      "secret": {
        "secretName": "nodejs-key"
      }
    }]
  }
}

So when your pod spins up the file will be dropped in the "file system" in /etc/foo/key.json

-- Steve Sloka
Source: StackOverflow