New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better Secrets management workflow #1593
Comments
I agree that you shouldn't need to use base64 as an end user of a UI. The UI can do the encoding/decoding for you. The one caveat is that some base64 encoded secret data can actually be binary content and won't decode to readable text. In openshift we do detection to see if the base64 decodes to valid text or not. https://github.com/openshift/origin-web-console/blob/master/app/scripts/services/secrets.js#L68 Also of note, a change was made to the API to make it easier to create/update secrets, there is now a dataText (or textData?) attribute that you can send in place of the normal data attribute, this allows you to send plain text on a create/update which will then get base64 encoded server-side and stored into the data field. As far as what an end user should see for create/update, I would expect a multiline editor / file upload combo that lets you pick a file to send for the secret or type in the content yourself. The issue with secrets (and config maps) as volumes overwriting the entire directory is still an issue, there are workarounds as suggested in kubernetes/kubernetes#19764 |
The base64 is a PITA, and pretty much defeats the purpose of allowing the editing of secrets from the web interface. |
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
This is already done. |
Issue details
I'm looking for ideas on how to manage secrets and configuration in kubernetes.
I work on a dev team where historically we've managed our credentials, secrets, and environment-specific config files by storing them alongside our application code in our project's source control repos. I'm tasked with updating our workflow to conform to 12-factor app best practices, and so I'm looking to have the environment provide the appropriate configuration to our containers at runtime
Environment
Our current project file structure is something like this:
The k8s Way
It appears as if k8s Secrets and ConfigMaps with volume mounts are intended to solve this from the container's perspective. I've had some success with creating a Secret and then mounting it into
conf/config.py
. Unfortunately, there seem to be several drawbacks to this approach.Observed result
volumeMount
s override all files within theproject/conf/
directory.Expected result
In an ideal world, I would be able to:
project/conf/config.py
)Comments
I'm new enough to the Kubernetes world that I don't even know if I'm asking the right questions, let alone getting close to the right answers. I'd appreciate any pointers to better solutions in this space. As I go through the process of migrating these apps, I'm trying to stick close to the native k8s stack when looking for solutions to my problems. I'm pragmatic though; I'll use whatever solves the problem. And in this case, I think k8s secrets are an almost perfect mechanism for the container, it's just that they leave a lot to be desired from a dev workflow standpoint.
The text was updated successfully, but these errors were encountered: