Kubernetes Secrets - How to Create, Use, & Access Secrets in ASP.NET Core

In the previous blog post, we discussed building a Weather Forecast API using Kubernetes and MongoDB. While deploying applications, it’s crucial to manage sensitive information like API keys, database credentials, and other secrets securely. In this blog post, we’ll guide you through adding secrets to your Kubernetes cluster to enhance the security of your Weather Forecast API.

Why Use Kubernetes Secrets?

Kubernetes provides a built-in feature called Secrets to manage sensitive data. Secrets allow you to store and distribute sensitive information to your application pods securely. Secrets are base64-encoded data objects that can be used to store items like passwords, tokens, or keys.

Here’s why you should use Kubernetes Secrets:

1. Security: Secrets are stored securely in etcd, the Kubernetes key-value store, and can be encrypted at rest.

2. Access Control: Kubernetes allows you to control who can access and use secrets, limiting exposure to unauthorized users.

3. Automated Rotation: Kubernetes supports automated rotation of secrets, ensuring that your sensitive data remains up to date.

Adding a Secret to Kubernetes

Let’s go through the steps to add a secret to your Kubernetes cluster:

Step 1: Create a Secret

You can create a secret from the command line using the kubectl create secret command. For example, to create a secret named api-secret with a key-value pair for an API key, use the following command:

kubectl create secret generic api-secret --from-literal=api-key=your-api-key-value

Replace your-api-key-value with the actual value of your API key.

Step 2: Verify the Secret

You can verify that the secret has been created by running:

kubectl get secret api-secret

This command will display information about the api-secret, including its type and data items.

Step 3: Use the Secret in a Pod

To use the secret in a pod, you need to reference it in the pod’s configuration or environment variables. Here’s an example of how you can reference the api-secret in a pod’s environment variables:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: weather-app
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: weather-app
    spec:
      containers:
        - name: weather-app
          image: ks/weather:v2
          imagePullPolicy: Never
          ports:
            - containerPort: 80
          env:
            - name: MONGODB_CONNECTION_STRING
              value: "mongodb-service:27017"
            - name: API_KEY
              valueFrom:
                secretKeyRef:
                  name: api-secret
                  key: api-key

In this example, the API_KEY environment variable in the pod is populated with the value from the api-secret secret’s api-key key.

Step 4: Deploy the Updated Configuration

After updating the pod configuration with the secret reference, deploy the updated configuration to your Kubernetes cluster:

kubectl apply -f weather-app-deployment.yaml

This command will apply the changes to the weather-app deployment, including the secret reference.

Integrating Secrets in Your C# Code

To access the secret API_KEY in your C# code, you can use the Environment.GetEnvironmentVariable method. Here’s an example of how you can retrieve the API key:

 [HttpGet("secret")]
 public IActionResult GetSecret()
 {
     string apiKey = Environment.GetEnvironmentVariable("API_KEY");
     _logger.LogInformation("Getting Secret {0}", apiKey);
     return Ok(new { ApiKey = apiKey });
 }

By integrating secrets in your C# code, you can securely access sensitive information, such as API keys, within your application.

Managing Secrets with kind: Secret in Kubernetes

To securely manage sensitive information like API keys, we can use Kubernetes Secrets. Secrets are base64-encoded data objects that allow you to store and distribute sensitive data within your Kubernetes cluster. Here’s how you can create and use a secret:

Step 1: Create a Secret

Create a YAML file, e.g., api-key-secret.yaml, to define your secret. Below is an example YAML definition:

apiVersion: v1
kind: Secret
metadata:
  name: api-key-secret
type: Opaque
data:
  API_KEY: <base64-encoded-api-key>

Replace <base64-encoded-api-key> with your actual API key, base64-encoded. You can base64-encode your API key using various tools or programming languages.

Step 2: Apply the Secret to Your Cluster

Apply the secret to your Kubernetes cluster using the kubectl apply command:

kubectl apply -f api-key-secret.yaml

This command will create the api-key-secret secret in your cluster, making the API key securely available for your applications.

Conclusion

By adding secrets to your Kubernetes cluster, you can securely manage sensitive data required by your applications, such as API keys, passwords, and other confidential information. Kubernetes makes it easy to create, manage, and use secrets, enhancing the overall security of your deployed applications.