Very often, deployments require sensitive information such as passwords, API keys, or certificates. Tensorkube provides a built-in feature called Secrets to securely store and manage such sensitive data.

Creating a secret

To create a secret in tensorkube, you can use the following command:

tensorkube secret create <SECRET-NAME> KEY1=VAL1 KEY2=VAL2 KEY3=VAL3 ...

The secret name must follow the following rules:

  • Contain only lowercase alphanumeric characters (a-z, 0-9), hyphens(-) and, period(.)
  • Start and end with an alphanumeric character (a-z, 0-9).
  • Be a maximum of 253 characters.

Arguments:

  • SECRET_NAME: [required]

  • KEYVALUES…: [required], Space-separated KEY=VALUE items

  • —env ENV_NAME: [optional], Environment in which the secret is created. If not specified, default environment is used.

  • —force: [optional], Overwrite the secret if it already exists.

When updating a secret, it’s important to redeploy any application that uses this secret. Failure to do so may result in inconsistencies in application behavior, as any running pods might still be using the old secret value but any new onces created will use the updated values. To ensure consistent behavior, always redeploy your applications after updating a secret.

If you have quotes in secret value, you should escape them with a backslash to preserve the quotes. For example, if you want to store password=my_pa"ss"word, you should use tensorkube secret create dummy-secret password=my_pa\"ss\"word. Doing this will let you store actual value which is password=my_pa"ss"word.

Listing secrets

You can list out created secrets using the command:

tensorkube list secrets

Arguments:

  • —env ENV_NAME: [Optional] Specify the environment to list the secrets from. If not specified, secrets from the default environment will be listed.

Deleting secrets

You can delete a secret using the command:

tensorkube secret delete SECRET_NAME

Arguments:

  • SECRET_NAME: [Required], The name of the secret you want to delete.

  • —env ENV_NAME: [Optional], Specify the environment from which the secret should be deleted. If not specified, the secret will be deleted from the default environment.

Using secrets in deployments

You can use secrets in a deployment using the --secret flag in the deploy command. Secrets are exposed as environment variables in your deployed code.

tensorkube deploy --secret secret1 --secret secret2 ...

If you are deploying in a particular environment, make sure the secrets have also been created in that particular environment.

Example

Let’s say you create a secret with the command

tensorkube secret create secret1 KEY1=VAL1 key2=val2

And deploy your app with the command

tensorkube deploy --secret secret1

Now the secret is available for use, both during builds as well as during runtime. The way you access these secrets differs during build and runtime.

Container builds with secrets

If you want to access your secrets during container builds, you can use them in your Dockerfile by mounting them as type secret in Dockerfile. You would need to specify the following RUN command before the step where you want to use the secret.

RUN --mount=type=secret,id=KEY1,env=KEY1 <YOUR_COMMAND>

Remember to use key names such as KEY1 as id and env values in the --mount flag. ** Do not use the secret name as the key name.** Also, do not forget to deploy the service with the --secret flag to make the secret available during both build and runtime.

Example 1: Echo secret during build

1

Create a secret

tensorkube secret create demo-secret DEMO_KEY=demo
2

Create a Dockerfile

FROM python:3.9-slim
RUN --mount=type=secret,id=DEMO_KEY,env=DEMO_KEY echo $DEMO_KEY
3

Deploy with the secret flag

tensorkube deploy --secret demo-secret

For eg you can use the following Dockerfile to print the value of KEY1 from secret1 during build:

If you have multiple secrets, you can mount them as follows:

Dockerfile
RUN --mount=type=secret,id=DEMO_KEY,env=DEMO_KEY --mount=type=secret,id=DEMO_KEY_2,env=DEMO_KEY_2 echo $DEMO_KEY $DEMO_KEY_2

Run the deploy command with both the secrets -

tensorkube deploy --secret demo-secret --secret demo-secret-2

Example 2: Cloning a private repository during build

If you want to clone a private repository during build with Personal access tokens, you can use secrets using below steps. Ensure that your token has proper permissions.

1

Add the github token as a secret

tensorkube secret create github-secrets GITHUB_TOKEN=github_pat_xxx
2

Mount the secret in Dockerfile

FROM python:3.11-slim

# Install git
RUN apt-get update && apt-get install -y --no-install-recommends git \
&& rm -rf /var/lib/apt/lists/*

# Clone repository (replace with your GitHub URL)

RUN --mount=type=secret,id=GITHUB_TOKEN,env=GITHUB_TOKEN git clone https://samagra14:${GITHUB_TOKEN}@github.com/samagra14/vllm.git

Note that I am using GITHUB_TOKEN here, which was the KEY of our secret insread of github-secrets which was the secret name.

3

tensorkube deploy --secret github-secrets

Accessing secrets during deployment runtime

Using secrets in deployment is straightforward. You can access these in your code as follows during runtime:

main.py
import os

VAL1 = os.environ.get("KEY1")
val2 = os.environ.get("key2")

## Use VAL1 and val2 in your code as required
print(f'Value of secret KEY1 is {VAL1}')
print(f'Value of secret key2 is {val2}')
Config FileDev Containers