In modern cloud-native applications, managing sensitive information such as API keys, passwords, and certificates is crucial for security and compliance. Kubernetes provides a robust mechanism to manage these secrets securely. This tutorial will guide you through using secrets in Kubernetes with a focus on Spring Boot applications.
Before diving into the implementation, ensure you have the following:
kubectl installed and configured to interact with your cluster.Kubernetes secrets are objects that contain sensitive information such as passwords, OAuth tokens, SSH keys, etc. These secrets can be used by pods to access external systems securely. There are two types of secrets:
You can create a secret manually using kubectl. For example, to create an opaque secret containing a username and password:
kubectl create secret generic my-secret --from-literal=username=myuser --from-literal=password=mypassword
This command creates a secret named my-secret with two key-value pairs: username and password.
If you have sensitive data in a file, you can create a secret from that file:
kubectl create secret generic my-file-secret --from-file=path/to/your/file.txt
This command creates a secret named my-file-secret with the content of file.txt.
To use secrets in your Spring Boot application, you need to mount them as environment variables or files inside the pod.
You can mount secrets as environment variables by defining them in your deployment YAML file:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-spring-boot-app
spec:
replicas: 3
selector:
matchLabels:
app: my-spring-boot-app
template:
metadata:
labels:
app: my-spring-boot-app
spec:
containers:
- name: my-spring-boot-container
image: my-spring-boot-image
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: my-secret
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: my-secret
key: password
In this example, the USERNAME and PASSWORD environment variables are set to the values from the my-secret secret.
You can also mount secrets as files:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-spring-boot-app
spec:
replicas: 3
selector:
matchLabels:
app: my-spring-boot-app
template:
metadata:
labels:
app: my-spring-boot-app
spec:
containers:
- name: my-spring-boot-container
image: my-spring-boot-image
volumeMounts:
- name: secret-volume
mountPath: /etc/secret
volumes:
- name: secret-volume
secret:
secretName: my-file-secret
In this example, the content of my-file-secret is mounted at /etc/secret/file.txt.
Once the secrets are mounted as environment variables or files, you can access them in your Spring Boot application.
You can inject environment variables into your Spring Boot application using the @Value annotation:
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
@Component
public class SecretConfig {
@Value("${USERNAME}")
private String username;
@Value("${PASSWORD}")
private String password;
public void printSecrets() {
System.out.println("Username: " + username);
System.out.println("Password: " + password);
}
}
If you mounted secrets as files, you can read them using standard Java I/O operations:
import org.springframework.stereotype.Component;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
@Component
public class SecretFileReader {
public void readFile() {
try {
String content = new String(Files.readAllBytes(Paths.get("/etc/secret/file.txt")));
System.out.println("File Content: " + content);
} catch (IOException e) {
e.printStackTrace();
}
}
}
Using secrets in Kubernetes is a critical aspect of securing your applications. By following this guide, you should have a solid understanding of how to create and use secrets in your Spring Boot applications running on Kubernetes. Always prioritize security best practices to protect sensitive data.