Using secrets

Learn how to create a Secret and configure your Knative serving services and revisions to use that Secret.

A common use case for a service is to access third-party applications through usernames and passwords. For Google Kubernetes Engine, it's a best practice to store this type of sensitive information in a Kubernetes Secret object.

To provide your containers with access to Secrets, you can mount each Secret as a volume, which makes the entries in the Secret available to the container as files. You should mount your Secret to ensure that you get the latest version of each Secret when it is read.

You can also pass a Secret using environment variables.

Creating a Secret

The following steps simply demonstrate how to create a Secret but there are several ways to create a Secret, as explained in the Secret topic.

When you create a Secret, make sure you create it in the same namespace as the cluster that is running your Knative serving service. In these examples, the default namespace is used.

To create a Secret in the default namespace of your cluster:

  • Create a Secret using a file:

    echo -n 'devuser' > ./username.txt
echo -n 'S!B\*d$zDsb' > ./password.txt
kubectl create secret generic user-creds --from-file=./username.txt --from-file=./password.txt

  • Create a Secret using a kubectl command only:

    kubectl create secret generic user-creds --from-literal=username=devuser --from-literal=password='S!B\*d$zDsb'

Making a Secret available to a service

You can associate secrets with a service using the Google Cloud console or command-line tools when you deploy a new service or update an existing service and deploy a revision:

Console

  1. Go to Knative serving in the Google Cloud console:

    Go to Knative serving

  2. Click Create Service if you are configuring a new service you are deploying to. If you are configuring an existing service, click on the service, then click Edit & Deploy New Revision.

  3. Under Advanced settings, click Variables and Secrets.

  4. Under Reference a Secret, select the desired Secret from the pulldown menu.

    • In the Reference method pulldown menu, select the way you want to use your Secret, mounted as a volume or exposed as environment variables.
    • If you are using mount as a volume, specify the path, then click Done.
    • If you are exposing as environment variables:
      1. Supply the Name of the variable and select the corresponding Secret value from the Key pulldown menu.
      2. Click Add to add another secret value.
      3. Supply the Name of the variable and select the corresponding Secret value from the Key pulldown menu.
      4. Click Done.

  5. Click Next to continue to the next section.

  6. In the Configure how this service is triggered section, select which connectivity you would like to use to invoke the service.

  7. Click Create to deploy the image to Knative serving and wait for the deployment to finish.

gcloud

You can use the Google Cloud CLI to associate Secrets with new services or to update existing services:

  • For existing services, update a Secret by running the gcloud run services update command with one of the following parameters:

    Example:

    gcloud run services update SERVICE --update-secrets KEY1=VALUE1,KEY2=VALUE2

    Replace:

    • SERVICE with the name of your service.
    • KEY1=VALUE1,KEY2=VALUE2 with a comma separated list of name and value pairs for each Secret. For each KEY you specify the path by starting with a forward slash / to mount a Secret as a file. Optionally, you can exclude the forward slash to mount the Secret as an environment variable. For each VALUE, specify the secret name. How to specify multiple parameters.

      • Command parameter options

      To specify several sets of key-value pairs, you can specify multiple parameters for readability. Example: 
      [...]
--update-secrets "KEY=VALUE1" \
--update-secrets "KEY=VALUE2" \
--update-secrets "KEY=VALUE3"

  • For new services, associate a Secret by running the gcloud run deploy command with the --set-secrets parameter:

    gcloud run deploy SERVICE --image=IMAGE_URL --set-secrets KEY1=VALUE1,KEY2=VALUE2

    Replace:

    • IMAGE_URL with a reference to the container image, for example, gcr.io/cloudrun/hello.
    • SERVICE with the name of your service.
    • KEY1=VALUE1,KEY2=VALUE2 with a comma separated list of name and value pairs for each Secret. For each KEY you specify the path by starting with a forward slash / to mount a Secret as a file. Optionally, you can exclude the forward slash to mount the Secret as an environment variable. For each VALUE, specify the secret name. How to specify multiple parameters.

      • Command parameter options

      To specify several sets of key-value pairs, you can specify multiple parameters for readability. Example: 
      [...]
--update-secrets "KEY=VALUE1" \
--update-secrets "KEY=VALUE2" \
--update-secrets "KEY=VALUE3"