Secrets

Secrets are key/value stores, replicated on all cluster nodes, and with values encrypted.

  • The secrets object kind is sec

  • A secret belongs to a namespace.

  • Only services in the same namespace can use the secret keys.

  • A secret can be used by multiple services

  • Secret key values can be projected in app or container resources environment

  • Secret key values can be projected as file content in volumes in the same namespace.

  • Secret key values can be empty, text or binary

  • Secret key values can be decoded for inspection

  • Secret key names can contain path separators and installed recursively

Create a Secret

::

om test/sec/sec1 create

Add Keys

From Value

om test/sec/sec1 add --key password --value changeme

From Stdin

cat /etc/hosts | om test/sec/sec1 add --key hosts_from_stdin --from -
cat /bin/ls    | om test/sec/sec1 add --key ls_from_stdin    --from -

From File

::

om test/sec/sec1 add –key hosts_from_file –from /etc/hosts om test/sec/sec1 add –key ls_from_file –from /bin/ls

From a File Tree

::

mkdir /tmp/head /tmp/head/a /tmp/head/b touch /tmp/head/a/alex /tmp/head/b/bob

The head can be named:

om test/sec/sec1 add --key tree  --from /tmp/head
...
  secret key 'tree/b/bob' added (166)
  secret key 'tree/a/alex' added (166)

Or left as-is:

om test/sec/sec1 add --from /tmp/head
...
  secret key 'head/b/bob' added (166)
  secret key 'head/a/alex' added (166)

From a Remote Location

::

om test/sec/sec1 add –key logo –from https://www.opensvc.com/init/static/images/opensvc-logo-2018.svg

Listing Keys

om test/sec/sec1 keys

Decode Keys

om test/sec/sec1 decode --key key1
om test/sec/sec1 decode --key key3 > /tmp/ls

Update Keys

Just re-add the key.

om test/sec/sec1 add --key key1 --value newval1

Delete Keys

om test/sec/sec1 delete --key key5

Delete Secret

om test/sec/sec1 delete

All keys are lost when deleting a secret. This action is orchestrated, asynchronous, and the secret is deleted from all cluster nodes.

Project Secret Keys in App Environment

...

[app#1]
start = /bin/true
secrets_environment = PASSWORD=sec1/password

Project Secret Keys in Container Environment

...

[container#1]
image = postgres
volume_mounts = {name}/data:/var/lib/postgresql/data
secrets_environment = POSTGRES_PASSWORD=sec1/password
rm = true
shared = true

Project Secret Keys in Container Filesystem

...

[volume#2]
type = shm
name = {name}-secrets
secrets = sec1/password:/

[container#1]
image = postgres
volume_mounts = {name}/data:/var/lib/postgresql/data
                {name}-secrets/password:/var/lib/postgresql/password
rm = true
shared = true