Skip to content

Commit

Permalink
Adding example on how to access secrets and add them to the container…
Browse files Browse the repository at this point in the history
… environment

Signed-off-by: Nick Beenham <[email protected]>
  • Loading branch information
superbeeny committed Apr 3, 2024
1 parent c34b012 commit ac4495e
Show file tree
Hide file tree
Showing 3 changed files with 204 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
---
type: docs
title: "How-To: Access Kubernetes secrets using PodSpec"
linkTitle: "Secrets using PodSpec"
description: "Learn how to patch Kubernetes secrets into the container environment using PodSpec definitions"
weight: 300
slug: 'secrets-podspec'
categories: "How-To"
tags: ["containers","Kubernetes", "secrets"]
---

This how-to guide will provide an overview of how to:

- Patch existing Kubernetes secrets using [PodSpec](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec) definitions and provide them to the environment of a container.

## Prerequisites

- [rad CLI]({{< ref getting-started >}})
- [Radius initialized with `rad init`]({{< ref howto-environment >}})
- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)

## Step 1: Define a container
Begin by creating a file named `app.bicep` with a Radius [container]({{< ref "guides/author-apps/containers" >}}):

{{< rad file="snippets/secrets-container.bicep" embed=true >}}

## Step 2: Deploy the app and container
```bash
rad run ./app.bicep -a demo
```

Once the deployment completes successfully, you should see the following confirmation message along with some system logs:

```bash
Building app.bicep...
Deploying template 'app.bicep' for application 'demo' and environment 'dev' from workspace 'dev'...

Deployment In Progress...

.. demo Applications.Core/containers
Completed demo Applications.Core/applications

Deployment Complete

Resources:
demo Applications.Core/applications
demo Applications.Core/containers

Starting log stream...

+ demo-7d94db59f6-ps6cf › demo
demo-7d94db59f6-ps6cf demo No APPLICATIONINSIGHTS_CONNECTION_STRING found, skipping Azure Monitor setup
demo-7d94db59f6-ps6cf demo Using in-memory store: no connection string found
demo-7d94db59f6-ps6cf demo Server is running at http://localhost:3000
dashboard-7f7db87c5-7d2jf dashboard [port-forward] connected from localhost:7007 -> ::7007
demo-7d94db59f6-ps6cf demo [port-forward] connected from localhost:3000 -> ::3000
```

Verify the pod is running:

```bash
kubectl get pods -n dev-demo
```

## Step 3: Create a secret

Create a secret in your Kubernetes cluster using the following command:

```bash
kubectl create secret generic my-secret --from-literal=secret-key=secret-value -n dev-demo
```

Verify the secret is created:

```bash
kubectl get secrets -n dev-demo
```

## Step 4: Patch the secret

Patch the secret into the container by adding the following `runtimes` block to the `container` resource in your `app.bicep` file:

{{< rad file="snippets/secrets-patch.bicep" embed=true >}}

## Step 5: Redeploy the app and container

Redeploy and run your app:

```bash
rad app deploy demo
```

Once the deployment completes successfully, you should see the environment variable in the container:
First, get the pod name:
```bash
kubectl get pods -n dev-demo
```

Then, exec into the pod and check the environment variable (substitute the pod name with the one you got from the previous command):

```bash
kubectl -n dev-demo exec demo-d64cc4d6d-xjnjz -- env | grep MY_SECRET
```

## Cleanup

Run the following command to [delete]({{< ref "guides/deploy-apps/howto-delete" >}}) your app and container:

```bash
rad app delete demo
```

## Further reading

- [Kubernetes in Radius containers]({{< ref "guides/author-apps/containers/overview#kubernetes" >}})
- [PodSpec in Radius containers]({{< ref "reference/resource-schema/core-schema/container-schema#runtimes" >}})
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
import radius as radius

@description('Specifies the environment for resources.')
param environment string

resource app 'Applications.Core/applications@2023-10-01-preview' = {
name: 'demo'
properties: {
environment: environment
}
}

resource demo 'Applications.Core/containers@2023-10-01-preview' = {
name: 'demo'
properties: {
application: app.id
container: {
image: 'ghcr.io/radius-project/samples/demo:latest'
ports: {
web: {
containerPort: 3000
}
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
import radius as radius

@description('Specifies the environment for resources.')
param environment string

resource app 'Applications.Core/applications@2023-10-01-preview' = {
name: 'demo'
properties: {
environment: environment
}
}

resource demo 'Applications.Core/containers@2023-10-01-preview' = {
name: 'demo'
properties: {
application: app.id
container: {
image: 'ghcr.io/radius-project/samples/demo:latest'
ports: {
web: {
containerPort: 3000
}
}
}
runtimes: {
kubernetes: {
pod: {
volumes: [ {
name: 'secrets-vol'
secret: {
secretName: 'my-secret'
}
}
]
containers: [
{
name: 'demo'
volumeMounts: [ {
name: 'secrets-vol'
readOnly: true
mountPath: '/etc/secrets-vol'
}
]
env: [
{
name: 'MY_SECRET'
valueFrom: {
secretKeyRef: {
name: 'my-secret'
key: 'secret-key'
}
}
}
]
}
]
hostNetwork: true
}
}
}
}
}

0 comments on commit ac4495e

Please sign in to comment.