Set Kubernetes Secrets in the DuploCloud Portal and manage them effectively.
To securely manage sensitive information in your deployment, set and reference Kubernetes secrets in the DuploCloud Portal.
In the DuploCloud Portal, navigate to Kubernetes -> Secrets. The Kubernetes Secrets page displays.
Click Add.
Fill in the fields (Secret Name, Secret Type, Secret Details, Secret Labels, and Secret Annotations).
Click Add. The Kubernetes Secret is set.
To enhance the security and management of Kubernetes secrets, consider the following strategies:
Utilize Centralized Secret Management Tools: Centralize the management of secrets to streamline access and control.
Implement Access Controls: Define who can access or modify secrets to minimize risk.
Regularly Rotate Secrets: Change secrets periodically to reduce the impact of potential breaches.
Audit Access Logs: Keep track of who accesses secrets and when, to detect unauthorized access or anomalies.
By integrating these practices, you can ensure a more secure and efficient handling of secrets within your Kubernetes environment.
Set EVs from the Kubernetes ConfigMap
In Kubernetes, you populate environment variables from application configurations or secrets.
In the DuploCloud Portal, navigate to Kubernetes -> Config Maps.
Click Add. The Add Config Map pane displays.
Name the ConfigMap you want to create, such as my-config-map
.
Add a Data key/value pair for each file in your ConfigMap, separated by a colon (:
). The key is the file name, and the value is the file's contents.
Click Create.
In the DuploCloud Portal, navigate to Kubernetes -> Services.
Select the Service you want to modify from the Name column.
Click the Actions menu and select Edit.
You can import the entire ConfigMap as Environment Variables or choose specific keys to import as environment variables.
The most straightforward approach is to import the entire ConfigMap as environment variables. Using this approach, your service will recognize each key in the ConfigMap defined as an environment variable.
On the Edit Service: service_name Basic Options page, click Next to navigate to the Advanced Options page.
On the Advanced Options page, in the Other Container Config field, enter the configuration YAML to import environment variables from a ConfigMap. For example, to import all environment variables from a ConfigMap named my-env-vars
, use the following YAML:
To import from additional ConfigMaps, duplicate the YAML from lines 2 and 3 in the above example for each config map that you want to import from.
Another approach is to select which keys to import from the ConfigMap as environment variables. This method gives you complete control over each environment variable as well as its name, but it requires you to perform more manual configuration.
On the Edit Service: service_name Basic Options page, in the Environment Variables field, enter the configuration for choosing environment variables to import from a ConfigMap. For example, to set a single environment variable (ENV_VAR_ONE)
to the value of the MY_ENV_VAR
key in the my-env-vars
config map, use the following YAML:
To add additional environment variables, duplicate the YAML from lines 2 through 5 in the above example for each environment variable that you want to add.
You can import Kubernetes Secrets as Environment Variables.
In the DuploCloud Portal, navigate to Kubernetes -> Secrets.
Click Add. The Add Kubernetes Secret page opens.
Create a Secret Name, such as my-env-vars
.
From the Secret Type list box, select Opaque.
In the Secret Details field, Add Data key/value pairs for each Environment Variable in your ConfigMap, separated by a colon (:
). The key is the Environment Variable name, and the value is the Environment Variable's value.
Click Add to create the secret.
Before you configure Environment Variables, you must create a DuploCloud Service.
The most straightforward approach is to import the entire Secret as environment variables. Using this approach, your service will recognize each key in the Secret defined as an environment variable.
On the Edit Service: service_name Basic Options page, click Next to navigate to the Advanced Options page.
On the Advanced Options page, in the Other Container Config field, enter the configuration YAML to import environment variables from a Secret. For example, to import all environment variables from a secret named my-env-vars
, use the following YAML:
To import from additional secrets, duplicate the YAML from lines 2 and 3 in the above example for each secret that you want to import.
Another approach is to select which keys to import from the Secret as environment variables. This method gives you complete control over each environment variable as well as its name, but it requires you to perform more manual configuration.
On the Edit Service: service_name Basic Options page, in the Environment Variables field, enter the configuration for choosing specific environment variables to import from a Secret. For example, to set a single environment variable (ENV_VAR_ONE)
to the value of the SECRET_ENV_VAR
key in the my-env-vars
secret, use the following YAML:
To import from additional secrets, duplicate the YAML from lines 2 and 5 in the above example for each secret that you want to import.
Using K8s Secrets with Azure Storage Accounts
Copy Storage Account Key and FileShare Name from DuploCloud Portal for creating Kubernetes Secrets in the next step.
Navigate to Kubernetes -> Secrets. Create a Kubernetes Secret Object using an Azure Storage Account.
Creating K8s SecretProviderClass CRs in the DuploCloud Portal
DuploCloud Portal provides the ability to create Custom Resource (CR) SecretProviderClass
.
This capability allows Kubernetes (K8s) to mount secrets stored in external secrets stores into the Pods as volumes. After the volumes are attached, the data is mounted into the container’s file system.
An Administrator must set the Infrastructure setting Enable Secrets CSI Driver
as True
. This setting is available by navigating to Administrator -> Infrastructure, selecting your Infrastructure, and clicking Settings).
In the DuploCloud Portal, navigate to Kubernetes -> Secret Provider.
Click Add. The Add Kubernetes Sercet Provider Class page displays.
Map the AWS Secrets
and SSM Parameters
configured in DuploCloud Portal (Cloud Services -> App Integration) to the Parameters section of the configuration.
Optionally, use the Secret Objects field to define the desired state of the synced Kubernetes secret objects.
The following is an example SecretProviderClass
configuration where AWS secrets and Kubernetes Secret Objects are configured:
To ensure your application is using the Secrets Store CSI driver, you need to configure your deployment to use the reference of the SecretProviderClass
resource created in the previous step.
The following is an example of configuring a Pod to mount a volume based on the SecretProviderClass
created in prior steps to retrieve secrets from Secrets Manager.
It's important to note that SPC timeouts can occur due to issues related to Secret Auto Rotation, which is enabled by default. This feature checks every two minutes if the secrets need to be updated from the values in AWS Secrets Manager. During a service deployment, if a secret is deleted due to a redeployment while a rotation check is attempted, it can lead to timeouts. This deletion happens because the secret is generated from the volume mount in the service Pod, and when the Pod is destroyed, the secret is also destroyed.
In the DuploCloud Portal, create a Kubernetes Service by navigating to Kubernetes -> Services and clicking Add.
Complete the required fields and click Next to display the Advanced Options page.
On the Advanced Options page, in the Cloud Credentials list box, select From Kubernetes.
Add code to the Other Pod Config field, as in the example below.
Add code for VolumeMounts
in the Other Container Config field, as in the example below.
Click Create to create the Kubernetes service.
Optionally, you can define secretObjects
in the SecretProviderClass
to define the desired state of your synced Kubernetes secret objects.
The following is an example of how to create a SecretProviderClass
CR that syncs a secret from AWS Secrets Manager to a Kubernetes secret:
In Other Container Config field, specify mount details with the secretobject-name
. Refer to the following example:
Set environment variables in your deployment to refer to your Kubernetes secrets.
While powerful, this integration of secrets into Kubernetes deployments requires careful management to avoid issues such as SPC timeouts. Understanding the underlying mechanisms, such as Secret Auto Rotation and the lifecycle of secrets in pod deployments, is crucial for smooth operations.
Setting, mounting, and managing Kubernetes ConfigMaps and Kubernetes Secrets in DuploCloud environments.
Settings Environment Variables (EVs) from a K8s ConfigMap or Secret: This traditional method continues to be supported, offering a familiar approach to those accustomed to Kubernetes' native secrets management.
Mounting ConfigMaps and Secrets as files: This method provides a seamless way to integrate configuration data directly into your application's file system.
Additionally, DuploCloud supports advanced secrets management strategies, including:
By leveraging these strategies, DuploCloud offers flexible and secure options for managing Kubernetes ConfigMaps and Secrets, catering to a variety of operational needs and security requirements.
Mounting application configuration maps and secrets as files
In Kubernetes, you can mount application configurations or secrets as files.
In the DuploCloud Portal, navigate to Kubernetes -> Config Maps.
Click Add. The Add Kubernetes Config Map pane displays.
Name the ConfigMap you want to create, such as my-config-map.
Add a Data key/value pair for each file in your config map, separated by a colon (:
). The key is the file name, and the value is the file's contents.
Click Create.
In the DuploCloud Portal, navigate to Kubernetes -> Services.
Select the service you want to modify from the Name column.
Click the Actions menu and select Edit.
On the Edit Service: service_name Basic Options page, click Next to navigate to the Advanced Options page.
On the Advanced Options page, in the Volumes field, enter the configuration YAML to mount the ConfigMap as a volume.
For example, to mount a config map named my-config-map
to a directory named /app/my-config
, enter the following YAML code block in the Volumes field:
If you want to select individual ConfigMap items, specifying the subpath for mounting, you can use a different configuration. For example, if you want the key named my-file-name
to be mounted to /app/my-config/config-file
, use the following YAML:
In the DuploCloud Portal, navigate to Kubernetes -> Secrets.
Click Add. The Add Kubernetes Secret pane displays.
Enter the Secret Name that you want to create, such as my-secret-files.
Add Secret Details such as a data key/value pair for each file in your secret. The key is the file name, and the value is the file's contents, separated by a colon (:
).
Click Add to create the secret.
Click Add to create the multi-line secret.
On the Edit Service: service_name Basic Options page, click Next to navigate to the Advanced Options page.
On the Advanced Options page, in the Volumes field, enter the configuration YAML to mount the Secret as a volume.
For example, to mount a Secret named my-secret-files
to a directory named /app/my-config
, enter the following YAML code block in the Volumes field:
If you want to select individual Secret items, specifying the subpath for mounting, you can use a different configuration. For example, if you want the key named secret-file
to be mounted to /app/my-config/config-file
, use the following YAML:
Refer to steps to in Azure.
For more information, see .
While creating a deployment, under Other Pod Config and Other Container Config, provide the configuration below to create and mount the storage volume for your service. In the configuration below, shareName
attribute should be the which you can get from the Storage Account screen.
Before you can sync Kubernetes Secret Objects, you must .
Refer to the following example using the Environment Variables field in the Basic Options page when .
In DuploCloud environments, you can pass configurations and Kubernetes using Kubernetes or through various strategies tailored to enhance security and management efficiency:
Setting Kubernetes Secrets directly in DuploCloud: This involves creating secrets under Kubernetes > Secrets in the DuploCloud console. These secrets are then available in the Kubernetes environment and can be utilized as either files or environment variables. This method is straightforward, incurs no additional cost, and allows for the visibility of both secret keys and values within the DuploCloud console. For detailed instructions, see .
Using AWS as the Source of Truth: By creating secrets in AWS Secrets Manager or Parameter Store and integrating them into Kubernetes secrets with SecretProviderClass, you benefit from advanced features like automatic rotation. This method displays only the secret keys in the DuploCloud console and involves a more complex setup but is ideal for centralizing secrets management across DuploCloud and non-DuploCloud resources. For more on this setup, visit .
Application Directly Reads Secrets from AWS: This approach allows the application code to directly fetch secrets from AWS Secret Manager or Parameter Store, managed via IAM roles facilitated by DuploCloud. It provides an added layer of protection and is particularly beneficial for development environments, though it requires modifications to the application code. Implementation guidance can be found in .
Before you create and mount the Kubernetes , you must create a DuploCloud .
Before you create and mount a , you must create a DuploCloud .
Follow the steps in , defining a Key value using the PRIVATE_KEY_FILENAME
in the Secret Details field, as shown below.
In the DuploCloud Portal, .