1
00:00:00,000 --> 00:00:10,333
Hi let us understand what is secrets and how to work with them. After creating

2
00:00:10,333 --> 00:00:15,833
the pod there may be a requirement to use the credentials or some sensitive

3
00:00:15,833 --> 00:00:21,633
informations sometimes the open authentication tokens or SSH keys

4
00:00:21,633 --> 00:00:26,433
all this going to be very sensitive and the hard-coding it as a part of the pod or

5
00:00:26,433 --> 00:00:32,633
having it as it is within the config map is going to be risky. So kubernetes provides

6
00:00:32,633 --> 00:00:39,166
an option called secrets where the data will be encoded using the base 64 and

7
00:00:39,166 --> 00:00:43,999
it will be stored within the secrets and we can protect the entire secrets using the

8
00:00:44,000 --> 00:00:49,166
permissions and it's going to be more safe and secure and the data that is

9
00:00:49,166 --> 00:00:55,799
getting encoded within the base 64 it can be decoded as well but directly the entire

10
00:00:55,800 --> 00:01:02,200
text will not be logged anywhere or it's not going to get stored within the secrets.

11
00:01:02,200 --> 00:01:06,666
Now let us go ahead and see a demo where I do have a couple of files

12
00:01:06,666 --> 00:01:11,466
username and text. The secrets can be passed as a environmental variable to

13
00:01:11,466 --> 00:01:16,599
the pod or it can be stored as a text file and use it as a part of the volume that is

14
00:01:16,600 --> 00:01:21,033
getting mounted within the container. Now let me go ahead and create a couple

15
00:01:21,033 --> 00:01:27,899
of files username.txt and password.txt within username.txt I do have a text

16
00:01:27,900 --> 00:01:34,466
admin and within password.txt I do have a text, which is going to be some cryptic

17
00:01:34,466 --> 00:01:39,832
password. I'm going to use these two files and create the secret.

18
00:01:39,833 --> 00:01:44,933
In this introductory session we are going to create a secret of type genere and

19
00:01:44,933 --> 00:01:49,766
there are different other types available to hold the certificates and for different

20
00:01:49,766 --> 00:01:53,666
purpose that we will be seeing it as a part of advance discussion. I'm going to

21
00:01:53,666 --> 00:01:58,499
use the kubectl create command, I'm going to create a secret this is going to

22
00:01:58,500 --> 00:02:04,000
be the type and this is the name and I'm going to use the file username.txt and

23
00:02:04,000 --> 00:02:08,600
password.txt So the secret got created let me go ahead and get the

24
00:02:08,600 --> 00:02:16,400
secrets available. So I do have the secret with the name my secret and I can get

25
00:02:16,400 --> 00:02:20,600
the details about this particular secret using the describe command

26
00:02:20,600 --> 00:02:27,033
kubectl describe secrets and then the name of the secret. So I do have a secret

27
00:02:27,033 --> 00:02:34,566
and it is having user name.txt which is of 5 bytes and password.txt of 13 bytes

28
00:02:34,566 --> 00:02:40,566
I can get the details about the secret in the yaml format kubectl get secret name

29
00:02:40,566 --> 00:02:46,799
of the secret and output as yaml file. Within that it's going to have the data that

30
00:02:46,800 --> 00:02:54,266
is username.taxt and that will be used as a key and it is encoded using base64

31
00:02:54,266 --> 00:02:59,332
As you all know decoding base64 is much easier I can go ahead and decode

32
00:02:59,333 --> 00:03:05,699
this and show how it is going to look like. Let me copy the text that is available and

33
00:03:05,700 --> 00:03:11,566
echo that using base64 decoding. So I am going to echo this particular content

34
00:03:11,566 --> 00:03:16,732
pipe it to the the base64 code and decode them, so I have got the password

35
00:03:16,733 --> 00:03:22,333
let me pass the username as well. So I'm going to echo this particular text pipe it

36
00:03:22,333 --> 00:03:29,333
into base64 program and decode it, so I got the admin. So that means it is just

37
00:03:29,333 --> 00:03:34,933
going to encode using base64 and store it as a part of the secrets, so that I am not

38
00:03:34,933 --> 00:03:40,033
going to pass the actual text as it is it's going to get passed as the

39
00:03:40,033 --> 00:03:44,899
encoded information. So instead of storing the content within a text file and

40
00:03:44,900 --> 00:03:50,400
then passing them I can pass the literals as it is, for that I can use the

41
00:03:50,400 --> 00:03:58,266
options --from-literal So I am going to use the kubectl create option provide

42
00:03:58,266 --> 00:04:02,666
the name of the secret and I'm going to pass these two parameters where

43
00:04:02,666 --> 00:04:07,266
I'm going to pass the key and value pair so here I am passing the key password

44
00:04:07,266 --> 00:04:11,466
and the value corresponding to it and it is always recommended to encode the

45
00:04:11,466 --> 00:04:15,999
password in a single quote, so that I don't need to escape the special

46
00:04:16,000 --> 00:04:23,000
characters like amberson or back slash. The secret got created now I can get

47
00:04:23,000 --> 00:04:27,600
more details about this particular secret using kubectl get command in the

48
00:04:27,600 --> 00:04:31,400
yaml format. I can go ahead and decode in case if I wanted to get information

49
00:04:31,400 --> 00:04:37,533
about this particular encoded text. The same way I can create a yaml file and

50
00:04:37,533 --> 00:04:43,666
add the encoded text as a part of the yaml file and create the secret. Let me go

51
00:04:43,666 --> 00:04:49,466
ahead and create a yaml file, I do have a yaml file, let me check the content of the

52
00:04:49,466 --> 00:04:55,432
yaml file. So I do have the yaml file here I have added the username with base64

53
00:04:55,433 --> 00:05:02,533
encoded, how did I get it ? I echoed the actual text and using the base64

54
00:05:02,533 --> 00:05:08,233
program I got the encoded text. So here is the encoded text. So I have encoded

55
00:05:08,233 --> 00:05:13,433
the actual text and added it as a part of the yaml file. Once the yaml file is ready

56
00:05:13,433 --> 00:05:18,199
I can use the kubectl create command and provide the yaml file. As the secret

57
00:05:18,200 --> 00:05:23,200
with the name my secret already existing, let me go ahead and delete the my secret

58
00:05:23,200 --> 00:05:30,400
the one that we created using the literals, now I am going to use the yaml file and

59
00:05:30,400 --> 00:05:37,000
create the secret. So kubectl create and then provide the file name so the my secret

60
00:05:37,000 --> 00:05:41,433
should get created, now I can get the details about this particular my secret

61
00:05:41,433 --> 00:05:47,733
using the get command, so I do have the key password and the user name and the

62
00:05:47,733 --> 00:05:52,966
name of the secret is my secret. I can go ahead and use it within the pod. So let me

63
00:05:52,966 --> 00:05:57,866
go ahead and create a pod and make use of this particular secret and see how it's

64
00:05:57,866 --> 00:06:04,632
going to behave. Let me go ahead and create a pod so I do have a pod definition

65
00:06:04,633 --> 00:06:10,166
I'm going to use the redis pod, within that I'm going to use a volume. Here I am

66
00:06:10,166 --> 00:06:15,366
going to use the secret that is my secret, I'm going to use and that will get

67
00:06:15,366 --> 00:06:21,799
mounted within /etc/secret folder within the container. So what we are going to do

68
00:06:21,800 --> 00:06:26,933
we are going to mount the secrets as a part of the volume within the container.

69
00:06:26,933 --> 00:06:32,966
Let me go ahead and create the pod the pod should get created, now I can get into

70
00:06:32,966 --> 00:06:37,832
the pod using the pod name by providing exec command exec and then

71
00:06:37,833 --> 00:06:43,299
name of the pod I'm going to execute the bash shell this will make the executable

72
00:06:43,300 --> 00:06:49,300
to get executed in the interactive mode. I am into the pod. Here I am going to get

73
00:06:49,300 --> 00:06:54,366
into the mount path that we had provided as a part of the pod definition.

74
00:06:54,366 --> 00:07:01,866
that is /etc/secret here I do have the password and the username the text that

75
00:07:01,866 --> 00:07:07,332
was provided as a part of the secret. So here I do have the password and here

76
00:07:07,333 --> 00:07:12,066
I do have the username, so this was the username that was provided as a part of

77
00:07:12,066 --> 00:07:18,032
the yaml file. So I can verify that by using the decode option. So this was

78
00:07:18,033 --> 00:07:24,066
the yaml file which was used to create the secret. I can use the decode option

79
00:07:24,066 --> 00:07:30,266
and see the username. So the admin was used as the username and as

80
00:07:30,266 --> 00:07:34,866
a last option I am going to demonstrate how to use the secret as a part of the

81
00:07:34,866 --> 00:07:41,932
environmental variable for the pod. For that I do have another yaml file, here

82
00:07:41,933 --> 00:07:44,933
I'm going to pass the environmental variable where the name of the

83
00:07:44,933 --> 00:07:48,499
environmental variable is secret_username within that I am

84
00:07:48,500 --> 00:07:54,000
going to use the my secret and the key username and I can get into

85
00:07:54,000 --> 00:07:59,233
the container and check whether these environmental variable has passed along

86
00:07:59,233 --> 00:08:02,866
with the container or not when it was getting created. Let me go ahead and

87
00:08:02,866 --> 00:08:07,599
create the pod. So I'm going to use kubectl apply and the name of

88
00:08:07,600 --> 00:08:13,400
the yaml file the pod should get created. So this is the pod now I can get into the

89
00:08:13,400 --> 00:08:19,833
pod using kubectl exec command, I am into the pod. Now I am going to get the

90
00:08:19,833 --> 00:08:24,866
value of the environmental variable using echo statement, echo and then

91
00:08:24,866 --> 00:08:29,566
dollar the environmental variable where I do have the username admin getting

92
00:08:29,566 --> 00:08:34,032
printed the same way I can get the other environmental variable as well. I have got

93
00:08:34,033 --> 00:08:40,232
the actual value. So we had seen the different ways how to create the secret

94
00:08:40,232 --> 00:08:45,033
and how to make use of it along with the pod in terms of mounting it as a part of

95
00:08:45,033 --> 00:08:49,399
the volume as well as passing it as a part of the environmental variables and

96
00:08:49,400 --> 00:08:54,000
how the value is going to get encoded when the secret is getting created by

97
00:08:54,000 --> 00:08:59,233
passing it as a literal or passing it as a part of the text file. Now let's go ahead

98
00:08:59,233 --> 00:09:04,399
and clean this secrets that got created, so I'm going to use kubectl delete secret

99
00:09:04,400 --> 00:09:09,400
and then the name of the secret. I can check whether all the secrets got

100
00:09:09,400 --> 00:09:14,700
deleted or not I can use the command, so this is the default secret being used by

101
00:09:14,700 --> 00:09:19,300
kubernetes so I will leave it as it is. So in a quick summary we had seen

102
00:09:19,300 --> 00:09:24,100
how to create secrets and make use of it within the pods.