Very often, deployments require sensitive information such as passwords, API keys, or certificates. Tensorkube provides a built-in feature called Secrets to securely store and manage such sensitive data.

Creating a secret

To create a secret in tensorkube, you can use the following command:

tensorkube secret create SECRET_NAME KEY1=VAL1 KEY2=VAL2 KEY3=VAL3 ...

Arguments:

  • SECRET_NAME: [required]

  • KEYVALUES…: [required], Space-separated KEY=VALUE items

  • —env ENV_NAME: [optional], Environment in which the secret is created. If not specified, default environment is used.

  • —force: [optional], Overwrite the secret if it already exists.

When updating a secret, it’s important to redeploy any application that uses this secret. Failure to do so may result in inconsistencies in application behavior, as any running pods might still be using the old secret value but any new onces created will use the updated values. To ensure consistent behavior, always redeploy your applications after updating a secret.

Listing secrets

You can list out created secrets using the command:

tensorkube list secrets

Arguments:

  • —env ENV_NAME: [Optional] Specify the environment to list the secrets from. If not specified, secrets from the default environment will be listed.

Deleting secrets

You can delete a secret using the command:

tensorkube secret delete SECRET_NAME

Arguments:

  • SECRET_NAME: [Required], The name of the secret you want to delete.

  • —env ENV_NAME: [Optional], Specify the environment from which the secret should be deleted. If not specified, the secret will be deleted from the default environment.

Using secrets in deployments

You can use secrets in a deployment using the --secret flag in the deploy command. Secrets are exposed as environment variables in your deployed code.

tensorkube deploy --secret secret1 --secret secret2 ...

If you are deploying in a particular environment, make sure the secrets have also been created in that particular environment.

Example

Let’s say you create a secret with the command

tensorkube secret create secret1 KEY1=VAL1 key2=val2

And deploy your app with the command

tensorkube deploy --secret secret1

Now the secret is available for use, both during builds as well as during runtime. The way you access these secrets differs during build and runtime.

Accessing secrets during container build

If you want to access your secrets during container builds, you can use them in your Dockerfile by specifying them as ARG variables. For eg you can user the following Dockerfile to print the value of KEY1 from secret1 during build:

Dockerfile
FROM python:3.9-slim

ARG KEY1
# This makes the KEY1 available during build time

WORKDIR /app
COPY print_secrets.py /app/print_secrets.py
COPY main.py /app/main.py
RUN python print_secrets.py \
# KEY1 is accessed as an environment variable here

CMD ["python", "main.py"]

where print_secrets.py is a simple python script that prints the value of KEY1:

print_secrets.py
import os

print(os.environ.get("KEY1"))

Accessing secrets during deployment runtime

Using secrets in deployment is straightforward. You can access these in your code as follows during runtime:

main.py
import os

VAL1 = os.environ.get("KEY1")
val2 = os.environ.get("key2")

## Use VAL1 and val2 in your code as required
print(f'Value of secret KEY1 is {VAL1}')
print(f'Value of secret key2 is {val2}')
Config FileDev Containers