Skip to content

Superbeeny/adding podspec secrets #1100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
willtsai merged 5 commits into from
Apr 5, 2024
Merged

Superbeeny/adding podspec secrets #1100

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ac4495e
Adding example on how to access secrets and add them to the container…
superbeeny Apr 3, 2024
f782fbd
Adding code tabs where the commands differ between linux/windows
superbeeny Apr 3, 2024
a0dc94b
Apply suggestions from code review
superbeeny Apr 5, 2024
78ad311
Updates requested from PR review
superbeeny Apr 5, 2024
de4834b
nit: add a new line for spacing aesthetics
willtsai Apr 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
149 changes: 149 additions & 0 deletions docs/content/guides/author-apps/kubernetes/how-to-access-secrets/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
---
type: docs
title: "How-To: Access Kubernetes secrets using PodSpec"
linkTitle: "Secrets using PodSpec"
description: "Learn how to patch Kubernetes secrets into the container environment using PodSpec definitions"
weight: 300
slug: 'secrets-podspec'
categories: "How-To"
tags: ["containers","Kubernetes", "secrets"]
---

This how-to guide will provide an overview of how to:

- Patch existing Kubernetes secrets using [PodSpec](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec) definitions and provide them to the environment of a container.

## Prerequisites

- [rad CLI]({{< ref getting-started >}})
- [Radius initialized with `rad init`]({{< ref howto-environment >}})
- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)

## Step 1: Define a container

Begin by creating a file named `app.bicep` with a Radius [container]({{< ref "guides/author-apps/containers" >}}):

{{< rad file="snippets/secrets-container.bicep" embed=true >}}

## Step 2: Deploy the app and container
Comment thread
superbeeny marked this conversation as resolved.

Run this command to deploy the app and container:

```bash
rad run ./app.bicep -a demo
```

Once the deployment completes successfully, you should see the following confirmation message along with some system logs:

```
Building app.bicep...
Deploying template 'app.bicep' for application 'demo' and environment 'dev' from workspace 'dev'...

Deployment In Progress...

.. demo Applications.Core/containers
Completed demo Applications.Core/applications

Deployment Complete

Resources:
demo Applications.Core/applications
demo Applications.Core/containers

Starting log stream...

+ demo-7d94db59f6-ps6cf › demo
demo-7d94db59f6-ps6cf demo No APPLICATIONINSIGHTS_CONNECTION_STRING found, skipping Azure Monitor setup
demo-7d94db59f6-ps6cf demo Using in-memory store: no connection string found
demo-7d94db59f6-ps6cf demo Server is running at http://localhost:3000
dashboard-7f7db87c5-7d2jf dashboard [port-forward] connected from localhost:7007 -> ::7007
demo-7d94db59f6-ps6cf demo [port-forward] connected from localhost:3000 -> ::3000
```

Verify the pod is running:

```bash
kubectl get pods -n dev-demo
```
You should see the following output in your console:
```
NAME READY STATUS RESTARTS AGE
demo-7d94db59f6-k7dfb 1/1 Running 0 62s
```

Comment thread
superbeeny marked this conversation as resolved.
## Step 3: Create a secret
Comment thread
willtsai marked this conversation as resolved.

Create a secret in your Kubernetes cluster using the following command:

```bash
kubectl create secret generic my-secret --from-literal=secret-key=secret-value -n dev-demo
```

Verify the secret is created:

```bash
kubectl get secrets -n dev-demo
```

## Step 4: Patch the secret

Patch the secret into the container by adding the following `runtimes` block to the `container` resource in your `app.bicep` file:

{{< rad file="snippets/secrets-patch.bicep" embed=true markdownConfig="{linenos=table,hl_lines=[\"25-60\"]}" >}}

## Step 5: Redeploy the app and container

Redeploy and run your app:

```bash
rad app deploy demo
```

Once the deployment completes successfully, you should see the environment variable in the container.

To validate this, first get the pod name:

```bash
kubectl get pods -n dev-demo
```

Comment thread
superbeeny marked this conversation as resolved.
You should see the following output in your console, with the pod name:
```
NAME READY STATUS RESTARTS AGE
demo-d64cc4d6d-xjnjz 1/1 Running 0 62s
```

Then, exec into the pod and check the environment variable (substitute the pod name with the one you got from the previous command):

{{< tabs "macOS/Linux/WSL" "Windows" >}}

{{% codetab %}}

```bash
kubectl -n dev-demo exec demo-d64cc4d6d-xjnjz -- env | grep MY_SECRET
```

{{% /codetab %}}

{{% codetab %}}

```powershell
kubectl -n dev-demo exec demo-d64cc4d6d-xjnjz -- env | findstr MY_SECRET
```

{{% /codetab %}}

{{< /tabs >}}

## Cleanup

Run the following command to [delete]({{< ref "guides/deploy-apps/howto-delete" >}}) your app and container:

```bash
rad app delete demo
```

## Further reading

- [Kubernetes in Radius containers]({{< ref "guides/author-apps/containers/overview#kubernetes" >}})
- [PodSpec in Radius containers]({{< ref "reference/resource-schema/core-schema/container-schema#runtimes" >}})
26 changes: 26 additions & 0 deletions ...tent/guides/author-apps/kubernetes/how-to-access-secrets/snippets/secrets-container.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
import radius as radius

@description('Specifies the environment for resources.')
param environment string

resource app 'Applications.Core/applications@2023-10-01-preview' = {
name: 'demo'
properties: {
environment: environment
}
}

resource demo 'Applications.Core/containers@2023-10-01-preview' = {
name: 'demo'
properties: {
application: app.id
container: {
image: 'ghcr.io/radius-project/samples/demo:latest'
ports: {
web: {
containerPort: 3000
}
}
}
}
}
62 changes: 62 additions & 0 deletions .../content/guides/author-apps/kubernetes/how-to-access-secrets/snippets/secrets-patch.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
import radius as radius

@description('Specifies the environment for resources.')
param environment string

resource app 'Applications.Core/applications@2023-10-01-preview' = {
name: 'demo'
properties: {
environment: environment
}
}

resource demo 'Applications.Core/containers@2023-10-01-preview' = {
name: 'demo'
properties: {
application: app.id
container: {
image: 'ghcr.io/radius-project/samples/demo:latest'
ports: {
web: {
containerPort: 3000
}
}
}
runtimes: {
kubernetes: {
pod: {
volumes: [ {
name: 'secrets-vol'
secret: {
secretName: 'my-secret'
}
}
]
containers: [
{
name: 'demo'
volumeMounts: [ {
name: 'secrets-vol'
readOnly: true
mountPath: '/etc/secrets-vol'
}
]
env: [
{
name: 'MY_SECRET'
valueFrom: {
secretKeyRef: {
name: 'my-secret'
key: 'secret-key'
}
}
}
]
}
]
hostNetwork: true
}
}
}
}
}