This chapter covers:
- Kubernetes Secrets
- GitOps strategies for managing secrets
- Tooling for managing Secrets
Kubernetes provides a mechanism allowing users to store small bits of sensitive information into a protected resource object, called a Secret. A Secret is anything that you want to tightly control access to. Common examples of data which you would want to store in a Secret include things like username and password credentials, API keys, SSH keys, TLS certificates. In this chapter you will learn about different Secret management strategies when using a GitOps system. You will also have a brief introduction to several different tools that can be used for storing and managing secrets.
We recommend you read chapters 1 and 2 before reading this chapter.
7.1 Kubernetes Secrets
A simple Kubernetes Secret is a simple data structure composed of three pieces of information:
- The name of the Secret
- The type of the secret (optional)
- A map of field names to sensitive data, encoded in base64
A very basic secret looks like the following:
apiVersion: v1 kind: Secret metadata: name: login-credentials type: Opaque #A data: username: YWRtaW4= #B password: UEA1NXcwcmQ= #C
#A Type of the secret - used to facilitate programmatic handling of secret data
#B The string “admin” base64 encoded
#C The string “P@55w0rd” base64 encoded