In the previous blog post, we discussed building a Weather Forecast API using Kubernetes and MongoDB. While deploying applications, it’s crucial to manage sensitive information like API keys, database credentials, and other secrets securely. In this blog post, we’ll guide you through adding secrets to your Kubernetes cluster to enhance the security of your Weather Forecast API.
Why Use Kubernetes Secrets?
Kubernetes provides a built-in feature called Secrets to manage sensitive data. Secrets allow you to store and distribute sensitive information to your application pods securely. Secrets are base64-encoded data objects that can be used to store items like passwords, tokens, or keys.
Here’s why you should use Kubernetes Secrets:
-
Security: Secrets are stored securely in etcd, the Kubernetes key-value store, and can be encrypted at rest.
-
Access Control: Kubernetes allows you to control who can access and use secrets, limiting exposure to unauthorized users.
-
Automated Rotation: Kubernetes supports automated rotation of secrets, ensuring that your sensitive data remains up to date.
Adding a Secret to Kubernetes
Let’s go through the steps to add a secret to your Kubernetes cluster:
Step 1: Create a Secret
You can create a secret from the command line using the kubectl create secret command. For example, to create a secret named api-secret with a key-value pair for an API key, use the following command:
kubectl create secret generic api-secret --from-literal=api-key=your-api-key-value
Replace your-api-key-value with the actual value of your API key.
Step 2: Verify the Secret
You can verify that the secret has been created by running:
kubectl get secret api-secret
This command will display information about the api-secret, including its type and data items.
Step 3: Use the Secret in a Pod
To use the secret in a pod, you need to reference it in the pod’s configuration or environment variables. Here’s an example of how you can reference the api-secret in a pod’s environment variables:
apiVersion: apps/v1
kind: Deployment
metadata:
name: weather-app
spec:
replicas: 1
template:
metadata:
labels:
app: weather-app
spec:
containers:
- name: weather-app
image: ks/weather:v2
imagePullPolicy: Never
ports:
- containerPort: 80
env:
- name: MONGODB_CONNECTION_STRING
value: "mongodb-service:27017"
- name: API_KEY
valueFrom:
secretKeyRef:
name: api-secret
key: api-key
In this example, the API_KEY environment variable in the pod is populated with the value from the api-secret secret’s api-key key.
Step 4: Deploy the Updated Configuration
After updating the pod configuration with the secret reference, deploy the updated configuration to your Kubernetes cluster:
kubectl apply -f weather-app-deployment.yaml
This command will apply the changes to the weather-app deployment, including the secret reference.
Integrating Secrets in Your C# Code
To access the secret API_KEY in your C# code, you can use the Environment.GetEnvironmentVariable method. Here’s an example of how you can retrieve the API key:
[HttpGet("secret")]
public IActionResult GetSecret()
{
string apiKey = Environment.GetEnvironmentVariable("API_KEY");
_logger.LogInformation("Getting Secret {0}", apiKey);
return Ok(new { ApiKey = apiKey });
}
By integrating secrets in your C# code, you can securely access sensitive information, such as API keys, within your application.
Managing Secrets with kind: Secret in Kubernetes
To securely manage sensitive information like API keys, we can use Kubernetes Secrets. Secrets are base64-encoded data objects that allow you to store and distribute sensitive data within your Kubernetes cluster. Here’s how you can create and use a secret:
Step 1: Create a Secret
Create a YAML file, e.g., api-key-secret.yaml, to define your secret. Below is an example YAML definition:
apiVersion: v1
kind: Secret
metadata:
name: api-key-secret
type: Opaque
data:
API_KEY: <base64-encoded-api-key>
Replace <base64-encoded-api-key> with your actual API key, base64-encoded. You can base64-encode your API key using various tools or programming languages.
Step 2: Apply the Secret to Your Cluster
Apply the secret to your Kubernetes cluster using the kubectl apply command:
kubectl apply -f api-key-secret.yaml
This command will create the api-key-secret secret in your cluster, making the API key securely available for your applications.
Conclusion
By adding secrets to your Kubernetes cluster, you can securely manage sensitive data required by your applications, such as API keys, passwords, and other confidential information. Kubernetes makes it easy to create, manage, and use secrets, enhancing the overall security of your deployed applications.