Skip to content

Kubernetes Secrets

Integration with Google Cloud Platform

We also offer an optional integration with Google Secret Manager as a simplified supplement to using Kubernetes Secrets directly.

When running an application in a team namespace, Kubernetes Secrets can be used directly.

To get started using this, simply create the secrets. A secret can be either key-value pairs or files, and can be exposed to the application as environment variables or files.

Microsoft has a good YouTube video that explains the concepts of Kubernetes secrets.

Example

Creating a secret

$ kubectl create secret generic my-secret --from-literal=key1=supersecret
secret/my-secret created

Info

The kubectl plugin kubectl-modify-secret is recommended if you need to modify the secret contents after creation.

Exposing my-secret as environment variables to the application by referring to it in nais.yaml

spec:
  envFrom:
    - secret: my-secret

That's it! When the application is running, the environment variable key1 will have the value supersecret.

Alternatively, if the secret should have their contents mounted into the containers as files:

spec:
  filesFrom:
    - secret: my-secret

The secret is then exposed under the path specified by spec.filesFrom[].mountPath (default /var/run/secrets). For this example it is available at /var/run/secrets/key1. Note that if you want to mount multiple secrets, you need to specify a different mountPath on each one to avoid collisions.

See the official Kubernetes documentation or by running kubectl create secret generic --help for more details on creating and managing your secrets.

Relevant information

Secret reloading

Last update: 2023-06-28
Created: 2019-10-04