Documentation Index

Fetch the complete documentation index at: https://guide.ncloud-docs.com/llms.txt

Use this file to discover all available pages before exploring further.

Secret Manager integration examples

Prev Next

Available in VPC

You can use secrets in Ncloud Kubernetes Service through integration with Secret Manager.

Creating a secret in Secret Manager

Refer to the Secret Manager user guide to create a my-secret Secret and register a value with id and password as keys.

Mounting and using all registered secrets in Secret Manager

  1. Create SecretProviderClass.
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: my-secret
  namespace: default
spec:
  provider: ncp
  parameters:
    objects: |
      - objectName: "my-secret"
        objectType: "secretmanager"
        path: "my-secret.txt"
  1. Create a pod that mounts and uses SecretProviderClass.
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
  namespace: default
spec:
  containers:
  - name: my-pod
    command: [ "sleep", "1000000" ]
    image: busybox
    imagePullPolicy: IfNotPresent
    volumeMounts:
      - mountPath: "/var/secrets"
        name: my-secret
  volumes:
  - name: my-secret
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: "my-secret"
  1. Access the pod and check if the secret is mounted properly.
$ kubectl exec my-pod -- ls /var/secrets
my-secret.txt

$ kubectl exec my-pod -- cat /var/secrets/my-secret.txt
{"id": "my-id", "password": "my-password"}

Mounting with a specific key of a secret registered in Secret Manager

  1. Create SecretProviderClass.
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: my-secret
  namespace: default
spec:
  provider: ncp
  parameters:
    objects: |
      - objectName: "my-secret"
        objectType: "secretmanager"
        secretKey: "id"
        path: "id.txt"
      - objectName: "my-secret"
        objectType: "secretmanager"
        secretKey: "password"
        path: "password.txt"
  1. Create a pod that mounts and uses SecretProviderClass.
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
  namespace: default
spec:
  containers:
  - name: my-pod
    command: [ "sleep", "1000000" ]
    image: busybox
    imagePullPolicy: IfNotPresent
    volumeMounts:
      - mountPath: "/var/secrets"
        name: my-secret
  volumes:
  - name: my-secret
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: "my-secret"
  1. Access the pod and check if the secret is mounted properly.
$ kubectl exec my-pod -- ls /var/secrets
id.txt
password.txt

$ kubectl exec my-pod -- cat /var/secrets/id.txt
my-id

$ kubectl exec my-pod -- cat /var/secrets/password.txt
my-password

Synchronizing secrets registered in Secret Manager with Kubernetes secrets

Secrets registered in Secret Manager must be mounted on a pod to be synchronized with Kubernetes secrets.

  1. Create SecretProviderClass.
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: my-secret
  namespace: default
spec:
  provider: ncp
  parameters:
    objects: |
      - objectName: "my-secret"
        objectType: "secretmanager"
        path: "my-secret.txt"
  secretObjects:
  - secretName: my-secret
    type: Opaque
    data:
    - objectName: my-secret.txt
      key: my-key
  1. Create a pod that mounts and uses SecretProviderClass.
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
  namespace: default
spec:
  containers:
  - name: my-pod
    command: [ "sleep", "1000000" ]
    image: busybox
    imagePullPolicy: IfNotPresent
    volumeMounts:
      - mountPath: "/var/secrets"
        name: my-secret
  volumes:
  - name: my-secret
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: "my-secret"
  1. Check if the secret is created properly.
$ kubectl get secret my-secret -o yaml

apiVersion: v1
data:
  my-key: eyJpZCI6ICJteS1pZCIsICJwYXNzd29yZCI6ICJteS1wYXNzd29yZCJ9
kind: Secret
metadata:
  labels:
    secrets-store.csi.k8s.io/managed: "true"
  name: my-secret
  namespace: default
  ownerReferences:
  - apiVersion: secrets-store.csi.x-k8s.io/v1
    kind: SecretProviderClassPodStatus
    name: my-pod-default-my-secret
type: Opaque
Business Registration Number: 129-86-31394 E-commerce Permit Number:No. 2009-GyeonggiSeongnam-0510
CEO: Kim Yuwon Address: NAVER Green Factory 17th–26th Floors, Buljeong-ro 6, Bundang-gu, Seongnam-si, Gyeonggi-do 13561, Republic of Korea. Customer Support Number: 1544-5876
© NAVER Cloud Corp. All Rights Reserved.