Managing sensitive information on Openshift

Kubernetes, and Openshift too, offer a resource of type Secret to hold sensitive information such as passwords and credentials. 

Secrets can be mounted into containers as they are backed by a temporary file storage, and can be shared among the resources of the same namespace.

Secrets must be created before the pods that use them.

Example.

Imagine you have to connect to a database from a pod inside Openshift.

As a best practice, you can't store the credentials to access that database on source code.

Le't create a secret to hold them:

oc create secret generic mysecret \ 

--from-literal='database-user'='admin' \ 

--from-literal='database-password'='mypassword123'

secret "mysecret" created

If you inspect the secret, you should see that credentials are not stored in clear text, but in base64 format:

oc get secret mysecret -o yaml 

apiVersion: v1

data: 

  database-password: bXlwYXNzd29yZDEyMw==

  database-user: YWRtaW4= 

kind: Secret 

... 

Next step is to reference the secret inside the pod definition, mypod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mycontainer
    image: app:1.0
    env:
      - name: DB_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: database-user
      - name: DB_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: database-password
  restartPolicy: Never

Create the pod:

oc create -f mypod.yaml

Inside the pod, the credentials are injected as environment variables, so if you enter in the pod and print them, you should see something like these:

echo $DB_USERNAME 

admin

echo $DB_PASSWORD 

mypassword123

That's all!