mount all secret key-values as env
# podspec
spec:
containers:
- ...
envFrom:
- secretRef:
name: name-of-secret
mount as env, per key-value
# podspec
spec:
containers:
- ...
env:
- name: NAME_OF_ENV
valueFrom:
secretKeyRef:
name: name-of-secret
key: key-in-secret
mount as files in dir
# podspec
spec:
containers:
- ...
volumeMounts:
- name: name-of-volume
mountPath: /etc/foo
volumes:
- name: name-of-volume
secret:
secretName: name-of-secret
mount as files, per key-value
# podspec
spec:
containers:
- ...
volumeMounts:
- name: name-of-volume
mountPath: /etc/foo
volumes:
- name: name-of-volume
secret:
secretName: name-of-secret
items:
- key: key-in-secret
path: path-to-mount-as
imagePullSecrets: useful for pulling private images
secrets: useless as far as i can tell
apiVersion: v1
kind: ServiceAccount
metadata:
name: service-account-name
secrets:
- name-of-secret
imagePullSecrets:
- name-of-secret
apply same config to all matching pods
see above for env / volume format
apiVersion: settings.k8s.io/v1alpha1
kind: PodPreset
metadata:
name: allow-database
spec:
selector:
matchLabels:
label-key: label-value
env: ...
volumeMounts: ...
volume: ...
what types can we use, apparently they're (almost) all for use with the k8s api
data is base64 encoded values,
replace with stringData (plaintext) for convenience
start with the source code
default type
apiVersion: v1
kind: Secret
metadata:
name: name-of-secret
type: Opaque
data:
user-defined-key: data
apiVersion: v1
kind: Secret
metadata:
name: name-of-secret
annotations:
kubernetes.io/service-account.name: name of ServiceAccount
kubernetes.io/service-account.uid: uid of ServiceAccount
type: kubernetes.io/service-account-token
data:
token: token
kubernetes.kubeconfig: kubeconfig (optional)
ca.crt: root certificate (optional)
namespace: default namespace (optional)
apiVersion: v1
kind: Secret
metadata:
name: name-of-secret
type: kubernetes.io/dockercfg
data:
.dockercfg: ~/.dockercfg
apiVersion: v1
kind: Secret
metadata:
name: name-of-secret
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: ~/.docker/config.json
apiVersion: v1
kind: Secret
metadata:
name: name-of-secret
type: kubernetes.io/basic-auth
data:
username: username
password: password
apiVersion: v1
kind: Secret
metadata:
name: name-of-secret
type: kubernetes.io/ssh-auth
data:
ssh-privatekey: private key
apiVersion: v1
kind: Secret
metadata:
name: name-of-secret
type: kubernetes.io/tls
data:
tls.crt: certificate (public)
tls.key: key (private)