Question 19 - Create Secret and Mount into Pod
Question 19 | Create Secret and mount into Pod
NOTE: This task can only be solved if questions 18 or 20 have been successfully implemented and the k8s-c3-CCC cluster has a functioning worker node
Use context: kubectl config use-context k8s-c3-CCC
Do the following in a new Namespace secret. Create a Pod named secret-pod of image busybox:1.31.1 which should keep running for some time.
There is an existing Secret located at /opt/course/19/secret1.yaml, create it in the Namespace secret and mount it readonly into the Pod at /tmp/secret1.
Create a new Secret in Namespace secret called secret2 which should contain user=user1 and pass=1234. These entries should be available inside the Pod's container as environment variables APP_USER and APP_PASS.
Confirm everything is working.
We can see that one question may depend on another. If the cluster that we're going to use wasn't fixed for issues in previous questions, it won't be possible to proceed. Let's assume it's ok.
kubectl config use-context k8s-c3-CCC
k create ns secret
# We were told there's a template for a secret that must be created in the secret namespace and mounted in the pod.
cp /opt/course/19/secret1.yaml new_secret1.yaml
vim new_secret1.yaml
Analyzing what we're going to apply and making the changes
apiVersion: v1
kind: Secret
metadata:
creationTimestamp: null
name: secret1
namespace: secret # change to the requested namespace
data:
halt: IyEgL2Jpbi9zaAo...
k -f 19_secret1.yaml create
# Now let's create the second secret that was requested
k create secret -n secret generic secret2 --from-literal=user=user1 --from-literal=pass=1234
# Let's create a template for the pod. This pod needs to be running when the evaluator checks, so let's give it a few days
k run secret-pod -n secret --image=busybox:1.31.1 --dry-run=client -o yaml -- sh -c "sleep 10d" > /opt/course/19/pod.yaml
vim /opt/course/19/pod.yaml
Now let's mount the secrets inside. Secret1 as a volume and secret2 as env.
# /opt/course/19/pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: secret-pod
name: secret-pod
namespace: secret
spec:
containers:
- args:
- sh
- -c
- sleep 10d
image: busybox:1.31.1
name: secret-pod
resources: {}
env: # add
- name: APP_USER # add
valueFrom: # add
secretKeyRef: # add
name: secret2 # add
key: user # add
- name: APP_PASS # add
valueFrom: # add
secretKeyRef: # add
name: secret2 # add
key: pass # add
volumeMounts: # add
- name: secret1 # add
mountPath: /tmp/secret1 # add
readOnly: true # add
dnsPolicy: ClusterFirst
restartPolicy: Always
volumes: # add
- name: secret1 # add
secret: # add
secretName: secret1 # add
status: {}
And let's apply and check.
k create -f /opt/course/19/pod.yaml
# Just to check
k exec -n secret secret-pod -- env | grep APP
APP_PASS=1234
APP_USER=user1
➜ k exec -n secret secret-pod -- find /tmp/secret1
/tmp/secret1
/tmp/secret1/..data
/tmp/secret1/halt
/tmp/secret1/..2019_12_08_12_15_39.463036797
/tmp/secret1/..2019_12_08_12_15_39.463036797/halt
➜ k -n secret exec secret-pod -- cat /tmp/secret1/halt
#! /bin/sh
### BEGIN INIT INFO
# Provides: halt
# Required-Start:
# Required-Stop:
# Default-Start:
# Default-Stop: 0
# Short-Description: Execute the halt command.
# Description:
...