How to set secret data to kubernetes secrets by yaml?
I am using kubernetes to deploy a rails app to google container engine.
Follow the kubernetes secrets document: http://kubernetes.io/v1.1/docs/user-guide/secrets.html
I created a web controller file:
# web-controller.yml apiVersion: v1 kind: ReplicationController metadata: labels: name: web name: web-controller spec: replicas: 2 selector: name: web template: metadata: labels: name: web spec: containers: - name: web image: gcr.io/my-project-id/myapp:v1 ports: - containerPort: 3000 name: http-server env: secret: - secretName: mysecret
And created a secret file:
# secret.yml apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: RAILS_ENV: production
When I run:
kubectl create -f web-controller.yml
error: could not read an encoded object from web-controller.yml: unable to load "web-controller.yml": json: cannot unmarshal object into Go value of type v1.EnvVar error: no objects passed to create
Maybe the yaml format is wrong in the web-controller.yml file. Then how to write?
You need to base64 encode the value and your key must be a valid DNS label, that is, replace RAILS_ENV with, for example, rails-env. See also this end-to-end example I put together here for more details and concrete steps.
We do not currently support secrets exposed as env vars.
apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque stringData: RAILS_ENV: production
stringData is the easymode version of what you're after, one thing though. you'll see the cleartext original yaml used to create the secret in the annotation (and if you used the above method that means you'll have a human readable secret in your annotation, if you use the below method you'll have the base64'd secret in your annotation), unless you follow up with the erase annotation command like so:
kubectl apply -f secret.yml kubectl annotate secret mysecret kubectl.kubernetes.io/last-applied-configuration- (the - at the end is what says to erase it) kubectl get secret mysecret -n=api -o yaml (to confirm)
Alternatively you'd do Bash# echo production | base64 cHJvZHVjdGlvbgo=
apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: RAILS_ENV: cHJvZHVjdGlvbgo=