Working with Secrets
Use secrets in your deployments for sensitive information
Very often, deployments require sensitive information such as passwords, API keys, or certificates. Tensorkube provides a built-in feature called Secrets to securely store and manage such sensitive data.
Creating a secret
To create a secret in tensorkube, you can use the following command:
The secret name must follow the following rules:
- Contain only lowercase alphanumeric characters (a-z, 0-9), hyphens(-) and, period(.)
- Start and end with an alphanumeric character (a-z, 0-9).
- Be a maximum of 253 characters.
Arguments:
-
SECRET_NAME: [required]
-
KEYVALUES…: [required], Space-separated KEY=VALUE items
-
—env ENV_NAME: [optional], Environment in which the secret is created. If not specified, default environment is used.
-
—force: [optional], Overwrite the secret if it already exists.
When updating a secret, it’s important to redeploy any application that uses this secret. Failure to do so may result in inconsistencies in application behavior, as any running pods might still be using the old secret value but any new onces created will use the updated values. To ensure consistent behavior, always redeploy your applications after updating a secret.
Listing secrets
You can list out created secrets using the command:
Arguments:
- —env ENV_NAME: [Optional] Specify the environment to list the secrets from. If not specified, secrets from the default environment will be listed.
Deleting secrets
You can delete a secret using the command:
Arguments:
-
SECRET_NAME: [Required], The name of the secret you want to delete.
-
—env ENV_NAME: [Optional], Specify the environment from which the secret should be deleted. If not specified, the secret will be deleted from the default environment.
Using secrets in deployments
You can use secrets in a deployment using the --secret
flag in the deploy command. Secrets are exposed
as environment variables in your deployed code.
If you are deploying in a particular environment, make sure the secrets have also been created in that particular environment.
Example
Let’s say you create a secret with the command
And deploy your app with the command
Now the secret is available for use, both during builds as well as during runtime. The way you access these secrets differs during build and runtime.
Container builds with secrets
If you want to access your secrets during container builds, you can use them in your Dockerfile by mounting them as type secret
in Dockerfile. You would need to
specify the following RUN
command before the step where you want to use the secret.
Remember to use key names such as KEY1
as id
and env
values in the --mount
flag. ** Do not use the secret name as the key name.**
Also, do not forget to deploy the service with the --secret
flag to make the secret available during both build and runtime.
Example 1: Echo secret during build
Create a secret
Create a Dockerfile
Deploy with the secret flag
For eg you can use the following Dockerfile
to print the value of KEY1
from secret1
during build:
If you have multiple secrets, you can mount them as follows:
Run the deploy command with both the secrets -
Example 2: Cloning a private repository during build
If you want to clone a private repository during build with Personal access tokens, you can use secrets using below steps. Ensure that your token has proper permissions.
Add the github token as a secret
Mount the secret in Dockerfile
Note that I am using GITHUB_TOKEN
here, which was the KEY
of our secret insread of github-secrets
which was the secret name.
Accessing secrets during deployment runtime
Using secrets in deployment is straightforward. You can access these in your code as follows during runtime: