Available in VPC
You can use secrets in Ncloud Kubernetes Service through integration with Secret Manager.
Creating a secret in Secret Manager
Refer to the Secret Manager user guide to create a my-secret Secret and register a value with id and password as keys.
Mounting and using all registered secrets in Secret Manager
- Create SecretProviderClass.
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: my-secret
namespace: default
spec:
provider: ncp
parameters:
objects: |
- objectName: "my-secret"
objectType: "secretmanager"
path: "my-secret.txt"
- Create a pod that mounts and uses SecretProviderClass.
apiVersion: v1
kind: Pod
metadata:
name: my-pod
namespace: default
spec:
containers:
- name: my-pod
command: [ "sleep", "1000000" ]
image: busybox
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: "/var/secrets"
name: my-secret
volumes:
- name: my-secret
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "my-secret"
- Access the pod and check if the secret is mounted properly.
$ kubectl exec my-pod -- ls /var/secrets
my-secret.txt
$ kubectl exec my-pod -- cat /var/secrets/my-secret.txt
{"id": "my-id", "password": "my-password"}
Mounting with a specific key of a secret registered in Secret Manager
- Create SecretProviderClass.
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: my-secret
namespace: default
spec:
provider: ncp
parameters:
objects: |
- objectName: "my-secret"
objectType: "secretmanager"
secretKey: "id"
path: "id.txt"
- objectName: "my-secret"
objectType: "secretmanager"
secretKey: "password"
path: "password.txt"
- Create a pod that mounts and uses SecretProviderClass.
apiVersion: v1
kind: Pod
metadata:
name: my-pod
namespace: default
spec:
containers:
- name: my-pod
command: [ "sleep", "1000000" ]
image: busybox
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: "/var/secrets"
name: my-secret
volumes:
- name: my-secret
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "my-secret"
- Access the pod and check if the secret is mounted properly.
$ kubectl exec my-pod -- ls /var/secrets
id.txt
password.txt
$ kubectl exec my-pod -- cat /var/secrets/id.txt
my-id
$ kubectl exec my-pod -- cat /var/secrets/password.txt
my-password
Synchronizing secrets registered in Secret Manager with Kubernetes secrets
Secrets registered in Secret Manager must be mounted on a pod to be synchronized with Kubernetes secrets.
- Create SecretProviderClass.
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: my-secret
namespace: default
spec:
provider: ncp
parameters:
objects: |
- objectName: "my-secret"
objectType: "secretmanager"
path: "my-secret.txt"
secretObjects:
- secretName: my-secret
type: Opaque
data:
- objectName: my-secret.txt
key: my-key
- Create a pod that mounts and uses SecretProviderClass.
apiVersion: v1
kind: Pod
metadata:
name: my-pod
namespace: default
spec:
containers:
- name: my-pod
command: [ "sleep", "1000000" ]
image: busybox
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: "/var/secrets"
name: my-secret
volumes:
- name: my-secret
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "my-secret"
- Check if the secret is created properly.
$ kubectl get secret my-secret -o yaml
apiVersion: v1
data:
my-key: eyJpZCI6ICJteS1pZCIsICJwYXNzd29yZCI6ICJteS1wYXNzd29yZCJ9
kind: Secret
metadata:
labels:
secrets-store.csi.k8s.io/managed: "true"
name: my-secret
namespace: default
ownerReferences:
- apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClassPodStatus
name: my-pod-default-my-secret
type: Opaque