Mounting Secrets
Secrets are functionally identical to config maps, but they can be configured with stricter permissions due to their sensitive nature. Secret manifests are not committed to Git.
The best way to manage secrets on AWS is to store the secret value using AWS Secrets Manager and synchronize the secret to your cluster using the Kubernetes Secret Storage provider.
On AWS, you can synchronize a secret to your cluster by creating a secret provider class:
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: example
spec:
provider: aws
secretObjects:
- secretName: example
type: Opaque
data:
- key: SECRET_KEY_BASE
objectName: SECRET_KEY_BASE
parameters:
objects: |
- objectName: my-secrets-manager-secret
objectType: secretsmanager
jmesPath:
- path: SECRET_KEY_BASE
objectAlias: SECRET_KEY_BASE
Once a secret provider class is created, you can mount them similarly to config maps:
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-web
namespace: default
spec:
selector:
matchLabels:
app.kubernetes.io/name: example
template:
metadata:
labels:
app.kubernetes.io/name: example
spec:
# Define your secret as a volume using the secrets storage provider
volumes:
- name: example
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: example
containers:
- name: main
# Mount a secret as environment variables
envFrom:
- secretRef:
name: example
# Or mount the volume in your container
volumeMounts:
- name: application
mountPath: /app/config/application.yml
subPath: application.yml