Skip to content

Kubernetes Secrets

When running an application in a team namespace, Kubernetes Secrets can be used directly instead of Vault.

To get started using this, simply create the secrets. A secret can be either key-value pairs or files, and can be exposed to the application as environment variables or files.

Example

Creating a secret

$ kubectl create secret generic my-secret --from-literal=key1=supersecret
secret/my-secret created

Info

The kubectl plugin kubectl-modify-secret is recommended if you need to modify the secret contents after creation.

Exposing my-secret as environment variables to the application by referring to it in nais.yaml

spec:
  envFrom:
    - secret: my-secret

That's it! When the application is running, the environment variable key1 will have the value supersecret.

Alternatively, if the secret should have their contents mounted into the containers as files:

spec:
  filesFrom:
    - secret: my-secret

The secret is then exposed under the path specified by spec.filesFrom[].mountPath (default /var/run/secrets). For this example it is available at /var/run/secrets/key1.

See the official Kubernetes documentation or by running kubectl create secret generic --help for more details on creating and managing your secrets.