Secrets¶
Secrets are key/value stores, replicated on all cluster nodes, and with values encrypted.
The secrets object kind is
sec
A secret belongs to a namespace.
Only services in the same namespace can use the secret keys.
A secret can be used by multiple services
Secret key values can be projected in app or container resources environment
Secret key values can be projected as file content in volumes in the same namespace.
Secret key values can be empty, text or binary
Secret key values can be decoded for inspection
Secret key names can contain path separators and installed recursively
Create a Secret¶
- ::
om test/sec/sec1 create
Add Keys¶
From Value¶
om test/sec/sec1 add --key password --value changeme
From Stdin¶
cat /etc/hosts | om test/sec/sec1 add --key hosts_from_stdin --from -
cat /bin/ls | om test/sec/sec1 add --key ls_from_stdin --from -
From File¶
- ::
om test/sec/sec1 add –key hosts_from_file –from /etc/hosts om test/sec/sec1 add –key ls_from_file –from /bin/ls
From a File Tree¶
- ::
mkdir /tmp/head /tmp/head/a /tmp/head/b touch /tmp/head/a/alex /tmp/head/b/bob
The head can be named:
om test/sec/sec1 add --key tree --from /tmp/head
...
secret key 'tree/b/bob' added (166)
secret key 'tree/a/alex' added (166)
Or left as-is:
om test/sec/sec1 add --from /tmp/head
...
secret key 'head/b/bob' added (166)
secret key 'head/a/alex' added (166)
From a Remote Location¶
- ::
om test/sec/sec1 add –key logo –from https://www.opensvc.com/init/static/images/opensvc-logo-2018.svg
Listing Keys¶
om test/sec/sec1 keys
Decode Keys¶
om test/sec/sec1 decode --key key1
om test/sec/sec1 decode --key key3 > /tmp/ls
Delete Keys¶
om test/sec/sec1 delete --key key5
Delete Secret¶
om test/sec/sec1 delete
All keys are lost when deleting a secret. This action is orchestrated, asynchronous, and the secret is deleted from all cluster nodes.
Project Secret Keys in App Environment¶
...
[app#1]
start = /bin/true
secrets_environment = PASSWORD=sec1/password
Project Secret Keys in Container Environment¶
...
[container#1]
image = postgres
volume_mounts = {name}/data:/var/lib/postgresql/data
secrets_environment = POSTGRES_PASSWORD=sec1/password
rm = true
shared = true
Project Secret Keys in Container Filesystem¶
...
[volume#2]
type = shm
name = {name}-secrets
secrets = sec1/password:/
[container#1]
image = postgres
volume_mounts = {name}/data:/var/lib/postgresql/data
{name}-secrets/password:/var/lib/postgresql/password
rm = true
shared = true