From ac4495ef11d01430596f58785f227965208edac8 Mon Sep 17 00:00:00 2001 From: Nick Beenham <1985327+superbeeny@users.noreply.github.com> Date: Wed, 3 Apr 2024 16:07:18 -0400 Subject: [PATCH 1/5] Adding example on how to access secrets and add them to the container environment Signed-off-by: Nick Beenham <1985327+superbeeny@users.noreply.github.com> --- .../kubernetes/how-to-access-secrets/index.md | 116 ++++++++++++++++++ .../snippets/secrets-container.bicep | 26 ++++ .../snippets/secrets-patch.bicep | 62 ++++++++++ 3 files changed, 204 insertions(+) create mode 100644 docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md create mode 100644 docs/content/guides/author-apps/kubernetes/how-to-access-secrets/snippets/secrets-container.bicep create mode 100644 docs/content/guides/author-apps/kubernetes/how-to-access-secrets/snippets/secrets-patch.bicep diff --git a/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md b/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md new file mode 100644 index 000000000..8befb51e4 --- /dev/null +++ b/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md @@ -0,0 +1,116 @@ +--- +type: docs +title: "How-To: Access Kubernetes secrets using PodSpec" +linkTitle: "Secrets using PodSpec" +description: "Learn how to patch Kubernetes secrets into the container environment using PodSpec definitions" +weight: 300 +slug: 'secrets-podspec' +categories: "How-To" +tags: ["containers","Kubernetes", "secrets"] +--- + +This how-to guide will provide an overview of how to: + +- Patch existing Kubernetes secrets using [PodSpec](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec) definitions and provide them to the environment of a container. + +## Prerequisites + +- [rad CLI]({{< ref getting-started >}}) +- [Radius initialized with `rad init`]({{< ref howto-environment >}}) +- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) + +## Step 1: Define a container +Begin by creating a file named `app.bicep` with a Radius [container]({{< ref "guides/author-apps/containers" >}}): + +{{< rad file="snippets/secrets-container.bicep" embed=true >}} + +## Step 2: Deploy the app and container +```bash +rad run ./app.bicep -a demo +``` + +Once the deployment completes successfully, you should see the following confirmation message along with some system logs: + +```bash +Building app.bicep... +Deploying template 'app.bicep' for application 'demo' and environment 'dev' from workspace 'dev'... + +Deployment In Progress... + +.. demo Applications.Core/containers +Completed demo Applications.Core/applications + +Deployment Complete + +Resources: + demo Applications.Core/applications + demo Applications.Core/containers + +Starting log stream... + ++ demo-7d94db59f6-ps6cf › demo +demo-7d94db59f6-ps6cf demo No APPLICATIONINSIGHTS_CONNECTION_STRING found, skipping Azure Monitor setup +demo-7d94db59f6-ps6cf demo Using in-memory store: no connection string found +demo-7d94db59f6-ps6cf demo Server is running at http://localhost:3000 +dashboard-7f7db87c5-7d2jf dashboard [port-forward] connected from localhost:7007 -> ::7007 +demo-7d94db59f6-ps6cf demo [port-forward] connected from localhost:3000 -> ::3000 +``` + +Verify the pod is running: + +```bash +kubectl get pods -n dev-demo +``` + +## Step 3: Create a secret + +Create a secret in your Kubernetes cluster using the following command: + +```bash +kubectl create secret generic my-secret --from-literal=secret-key=secret-value -n dev-demo +``` + +Verify the secret is created: + +```bash +kubectl get secrets -n dev-demo +``` + +## Step 4: Patch the secret + +Patch the secret into the container by adding the following `runtimes` block to the `container` resource in your `app.bicep` file: + +{{< rad file="snippets/secrets-patch.bicep" embed=true >}} + +## Step 5: Redeploy the app and container + +Redeploy and run your app: + +```bash +rad app deploy demo +``` + +Once the deployment completes successfully, you should see the environment variable in the container: +First, get the pod name: +```bash +kubectl get pods -n dev-demo +``` + +Then, exec into the pod and check the environment variable (substitute the pod name with the one you got from the previous command): + +```bash +kubectl -n dev-demo exec demo-d64cc4d6d-xjnjz -- env | grep MY_SECRET +``` + +## Cleanup + +Run the following command to [delete]({{< ref "guides/deploy-apps/howto-delete" >}}) your app and container: + +```bash +rad app delete demo +``` + +## Further reading + +- [Kubernetes in Radius containers]({{< ref "guides/author-apps/containers/overview#kubernetes" >}}) +- [PodSpec in Radius containers]({{< ref "reference/resource-schema/core-schema/container-schema#runtimes" >}}) \ No newline at end of file diff --git a/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/snippets/secrets-container.bicep b/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/snippets/secrets-container.bicep new file mode 100644 index 000000000..cf50f3d4b --- /dev/null +++ b/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/snippets/secrets-container.bicep @@ -0,0 +1,26 @@ +import radius as radius + +@description('Specifies the environment for resources.') +param environment string + +resource app 'Applications.Core/applications@2023-10-01-preview' = { + name: 'demo' + properties: { + environment: environment + } +} + +resource demo 'Applications.Core/containers@2023-10-01-preview' = { + name: 'demo' + properties: { + application: app.id + container: { + image: 'ghcr.io/radius-project/samples/demo:latest' + ports: { + web: { + containerPort: 3000 + } + } + } + } +} diff --git a/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/snippets/secrets-patch.bicep b/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/snippets/secrets-patch.bicep new file mode 100644 index 000000000..f832dcfca --- /dev/null +++ b/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/snippets/secrets-patch.bicep @@ -0,0 +1,62 @@ +import radius as radius + +@description('Specifies the environment for resources.') +param environment string + +resource app 'Applications.Core/applications@2023-10-01-preview' = { + name: 'demo' + properties: { + environment: environment + } +} + +resource demo 'Applications.Core/containers@2023-10-01-preview' = { + name: 'demo' + properties: { + application: app.id + container: { + image: 'ghcr.io/radius-project/samples/demo:latest' + ports: { + web: { + containerPort: 3000 + } + } + } + runtimes: { + kubernetes: { + pod: { + volumes: [ { + name: 'secrets-vol' + secret: { + secretName: 'my-secret' + } + } + ] + containers: [ + { + name: 'demo' + volumeMounts: [ { + name: 'secrets-vol' + readOnly: true + mountPath: '/etc/secrets-vol' + } + ] + env: [ + { + name: 'MY_SECRET' + valueFrom: { + secretKeyRef: { + name: 'my-secret' + key: 'secret-key' + } + } + } + ] + } + ] + hostNetwork: true + } + } + } + } +} From f782fbd47c93c625e86ac165967062bd26e8dd87 Mon Sep 17 00:00:00 2001 From: Nick Beenham <1985327+superbeeny@users.noreply.github.com> Date: Wed, 3 Apr 2024 16:46:14 -0400 Subject: [PATCH 2/5] Adding code tabs where the commands differ between linux/windows Signed-off-by: Nick Beenham <1985327+superbeeny@users.noreply.github.com> --- .../kubernetes/how-to-access-secrets/index.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md b/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md index 8befb51e4..78cb09ad1 100644 --- a/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md +++ b/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md @@ -97,11 +97,27 @@ kubectl get pods -n dev-demo ``` Then, exec into the pod and check the environment variable (substitute the pod name with the one you got from the previous command): - + +{{< tabs "macOS/Linux/WSL" "Windows" >}} + +{{% codetab %}} + ```bash kubectl -n dev-demo exec demo-d64cc4d6d-xjnjz -- env | grep MY_SECRET ``` +{{% /codetab %}} + +{{% codetab %}} + +```powershell +kubectl -n dev-demo exec demo-d64cc4d6d-xjnjz -- env | findstr MY_SECRET +``` + +{{% /codetab %}} + +{{< /tabs >}} + ## Cleanup Run the following command to [delete]({{< ref "guides/deploy-apps/howto-delete" >}}) your app and container: From a0dc94b76d9e1a2d358d6d649faafd7e9327869e Mon Sep 17 00:00:00 2001 From: Nick Beenham <1985327+superbeeny@users.noreply.github.com> Date: Thu, 4 Apr 2024 22:02:56 -0400 Subject: [PATCH 3/5] Apply suggestions from code review Co-authored-by: Will <28876888+willtsai@users.noreply.github.com> Signed-off-by: Nick Beenham <1985327+superbeeny@users.noreply.github.com> --- .../kubernetes/how-to-access-secrets/index.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md b/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md index 78cb09ad1..1f8f4961f 100644 --- a/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md +++ b/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md @@ -20,11 +20,15 @@ This how-to guide will provide an overview of how to: - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) ## Step 1: Define a container + Begin by creating a file named `app.bicep` with a Radius [container]({{< ref "guides/author-apps/containers" >}}): {{< rad file="snippets/secrets-container.bicep" embed=true >}} ## Step 2: Deploy the app and container + +Run this command to deploy the app and container: + ```bash rad run ./app.bicep -a demo ``` @@ -80,7 +84,7 @@ kubectl get secrets -n dev-demo Patch the secret into the container by adding the following `runtimes` block to the `container` resource in your `app.bicep` file: -{{< rad file="snippets/secrets-patch.bicep" embed=true >}} +{{< rad file="snippets/secrets-patch.bicep" embed=true markdownConfig="{linenos=table,hl_lines=[\"25-60\"]}" >}} ## Step 5: Redeploy the app and container @@ -90,11 +94,12 @@ Redeploy and run your app: rad app deploy demo ``` -Once the deployment completes successfully, you should see the environment variable in the container: -First, get the pod name: +Once the deployment completes successfully, you should see the environment variable in the container. + +To validate this, first get the pod name: + ```bash kubectl get pods -n dev-demo -``` Then, exec into the pod and check the environment variable (substitute the pod name with the one you got from the previous command): From 78ad3114dd0614359c8e39fb619cffa1e86695a6 Mon Sep 17 00:00:00 2001 From: Nick Beenham <1985327+superbeeny@users.noreply.github.com> Date: Fri, 5 Apr 2024 08:27:23 -0400 Subject: [PATCH 4/5] Updates requested from PR review Signed-off-by: Nick Beenham <1985327+superbeeny@users.noreply.github.com> --- .../kubernetes/how-to-access-secrets/index.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md b/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md index 1f8f4961f..651f53ebf 100644 --- a/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md +++ b/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md @@ -35,7 +35,7 @@ rad run ./app.bicep -a demo Once the deployment completes successfully, you should see the following confirmation message along with some system logs: -```bash +``` Building app.bicep... Deploying template 'app.bicep' for application 'demo' and environment 'dev' from workspace 'dev'... @@ -65,7 +65,11 @@ Verify the pod is running: ```bash kubectl get pods -n dev-demo ``` - +You should see the following output in your console: +``` +NAME READY STATUS RESTARTS AGE +demo-7d94db59f6-k7dfb 1/1 Running 0 62s +``` ## Step 3: Create a secret Create a secret in your Kubernetes cluster using the following command: @@ -100,6 +104,13 @@ To validate this, first get the pod name: ```bash kubectl get pods -n dev-demo +``` + +You should see the following output in your console, with the pod name: +``` +NAME READY STATUS RESTARTS AGE +demo-d64cc4d6d-xjnjz 1/1 Running 0 62s +``` Then, exec into the pod and check the environment variable (substitute the pod name with the one you got from the previous command): From de4834badfc0cc57d7e75c8991a685fce252bec8 Mon Sep 17 00:00:00 2001 From: Will <28876888+willtsai@users.noreply.github.com> Date: Fri, 5 Apr 2024 15:22:52 -0700 Subject: [PATCH 5/5] nit: add a new line for spacing aesthetics Signed-off-by: Will <28876888+willtsai@users.noreply.github.com> --- .../guides/author-apps/kubernetes/how-to-access-secrets/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md b/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md index 651f53ebf..f23a86ad1 100644 --- a/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md +++ b/docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md @@ -70,6 +70,7 @@ You should see the following output in your console: NAME READY STATUS RESTARTS AGE demo-7d94db59f6-k7dfb 1/1 Running 0 62s ``` + ## Step 3: Create a secret Create a secret in your Kubernetes cluster using the following command: