-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding example on how to access secrets and add them to the container…
… environment Signed-off-by: Nick Beenham <[email protected]>
- Loading branch information
1 parent
c34b012
commit ac4495e
Showing
3 changed files
with
204 additions
and
0 deletions.
There are no files selected for viewing
116 changes: 116 additions & 0 deletions
116
docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
--- | ||
type: docs | ||
title: "How-To: Access Kubernetes secrets using PodSpec" | ||
linkTitle: "Secrets using PodSpec" | ||
description: "Learn how to patch Kubernetes secrets into the container environment using PodSpec definitions" | ||
weight: 300 | ||
slug: 'secrets-podspec' | ||
categories: "How-To" | ||
tags: ["containers","Kubernetes", "secrets"] | ||
--- | ||
|
||
This how-to guide will provide an overview of how to: | ||
|
||
- Patch existing Kubernetes secrets using [PodSpec](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec) definitions and provide them to the environment of a container. | ||
|
||
## Prerequisites | ||
|
||
- [rad CLI]({{< ref getting-started >}}) | ||
- [Radius initialized with `rad init`]({{< ref howto-environment >}}) | ||
- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) | ||
|
||
## Step 1: Define a container | ||
Begin by creating a file named `app.bicep` with a Radius [container]({{< ref "guides/author-apps/containers" >}}): | ||
|
||
{{< rad file="snippets/secrets-container.bicep" embed=true >}} | ||
|
||
## Step 2: Deploy the app and container | ||
```bash | ||
rad run ./app.bicep -a demo | ||
``` | ||
|
||
Once the deployment completes successfully, you should see the following confirmation message along with some system logs: | ||
|
||
```bash | ||
Building app.bicep... | ||
Deploying template 'app.bicep' for application 'demo' and environment 'dev' from workspace 'dev'... | ||
|
||
Deployment In Progress... | ||
|
||
.. demo Applications.Core/containers | ||
Completed demo Applications.Core/applications | ||
|
||
Deployment Complete | ||
|
||
Resources: | ||
demo Applications.Core/applications | ||
demo Applications.Core/containers | ||
|
||
Starting log stream... | ||
|
||
+ demo-7d94db59f6-ps6cf › demo | ||
demo-7d94db59f6-ps6cf demo No APPLICATIONINSIGHTS_CONNECTION_STRING found, skipping Azure Monitor setup | ||
demo-7d94db59f6-ps6cf demo Using in-memory store: no connection string found | ||
demo-7d94db59f6-ps6cf demo Server is running at http://localhost:3000 | ||
dashboard-7f7db87c5-7d2jf dashboard [port-forward] connected from localhost:7007 -> ::7007 | ||
demo-7d94db59f6-ps6cf demo [port-forward] connected from localhost:3000 -> ::3000 | ||
``` | ||
|
||
Verify the pod is running: | ||
|
||
```bash | ||
kubectl get pods -n dev-demo | ||
``` | ||
|
||
## Step 3: Create a secret | ||
|
||
Create a secret in your Kubernetes cluster using the following command: | ||
|
||
```bash | ||
kubectl create secret generic my-secret --from-literal=secret-key=secret-value -n dev-demo | ||
``` | ||
|
||
Verify the secret is created: | ||
|
||
```bash | ||
kubectl get secrets -n dev-demo | ||
``` | ||
|
||
## Step 4: Patch the secret | ||
|
||
Patch the secret into the container by adding the following `runtimes` block to the `container` resource in your `app.bicep` file: | ||
|
||
{{< rad file="snippets/secrets-patch.bicep" embed=true >}} | ||
|
||
## Step 5: Redeploy the app and container | ||
|
||
Redeploy and run your app: | ||
|
||
```bash | ||
rad app deploy demo | ||
``` | ||
|
||
Once the deployment completes successfully, you should see the environment variable in the container: | ||
First, get the pod name: | ||
```bash | ||
kubectl get pods -n dev-demo | ||
``` | ||
|
||
Then, exec into the pod and check the environment variable (substitute the pod name with the one you got from the previous command): | ||
|
||
```bash | ||
kubectl -n dev-demo exec demo-d64cc4d6d-xjnjz -- env | grep MY_SECRET | ||
``` | ||
|
||
## Cleanup | ||
|
||
Run the following command to [delete]({{< ref "guides/deploy-apps/howto-delete" >}}) your app and container: | ||
|
||
```bash | ||
rad app delete demo | ||
``` | ||
|
||
## Further reading | ||
|
||
- [Kubernetes in Radius containers]({{< ref "guides/author-apps/containers/overview#kubernetes" >}}) | ||
- [PodSpec in Radius containers]({{< ref "reference/resource-schema/core-schema/container-schema#runtimes" >}}) |
26 changes: 26 additions & 0 deletions
26
...tent/guides/author-apps/kubernetes/how-to-access-secrets/snippets/secrets-container.bicep
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
import radius as radius | ||
|
||
@description('Specifies the environment for resources.') | ||
param environment string | ||
|
||
resource app 'Applications.Core/applications@2023-10-01-preview' = { | ||
name: 'demo' | ||
properties: { | ||
environment: environment | ||
} | ||
} | ||
|
||
resource demo 'Applications.Core/containers@2023-10-01-preview' = { | ||
name: 'demo' | ||
properties: { | ||
application: app.id | ||
container: { | ||
image: 'ghcr.io/radius-project/samples/demo:latest' | ||
ports: { | ||
web: { | ||
containerPort: 3000 | ||
} | ||
} | ||
} | ||
} | ||
} |
62 changes: 62 additions & 0 deletions
62
.../content/guides/author-apps/kubernetes/how-to-access-secrets/snippets/secrets-patch.bicep
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
import radius as radius | ||
|
||
@description('Specifies the environment for resources.') | ||
param environment string | ||
|
||
resource app 'Applications.Core/applications@2023-10-01-preview' = { | ||
name: 'demo' | ||
properties: { | ||
environment: environment | ||
} | ||
} | ||
|
||
resource demo 'Applications.Core/containers@2023-10-01-preview' = { | ||
name: 'demo' | ||
properties: { | ||
application: app.id | ||
container: { | ||
image: 'ghcr.io/radius-project/samples/demo:latest' | ||
ports: { | ||
web: { | ||
containerPort: 3000 | ||
} | ||
} | ||
} | ||
runtimes: { | ||
kubernetes: { | ||
pod: { | ||
volumes: [ { | ||
name: 'secrets-vol' | ||
secret: { | ||
secretName: 'my-secret' | ||
} | ||
} | ||
] | ||
containers: [ | ||
{ | ||
name: 'demo' | ||
volumeMounts: [ { | ||
name: 'secrets-vol' | ||
readOnly: true | ||
mountPath: '/etc/secrets-vol' | ||
} | ||
] | ||
env: [ | ||
{ | ||
name: 'MY_SECRET' | ||
valueFrom: { | ||
secretKeyRef: { | ||
name: 'my-secret' | ||
key: 'secret-key' | ||
} | ||
} | ||
} | ||
] | ||
} | ||
] | ||
hostNetwork: true | ||
} | ||
} | ||
} | ||
} | ||
} |