Container Service: Developing an Application - OpenShift Secrets

The OpenShift secrets functionality allows for storage and access of sensitive information. The OpenShift documentation on secrets can be found here.

Key Points

  1. All secret data must be Base64 encoded. It will be decoded by OpenShift when your application attempts to access it.
  2. The secret must be created before it can be referenced by your application. Secrets are project-scoped; all applications within a project--and none outside--have access to a secret.
  3. The deployment config of your application will need to be modified to mount a volume containing the secret. Use syntax similar to this:
    oc volume dc/prod --add --type=secret --secret-name=samlprod --mount-path=/usr/src/app/myapp/local/saml
  4. Reference that location in your code.   Note: Each data field within a secret will show up as a separate file within that volume.

Working With Secrets

Use the following commands to work with secrets within your project. Secrets cannot be edited directly. Instead they should be deleted and recreated.

oc get secrets

Provides a list of all secrets in the current namespace. Use this to determine which secret you wish to modify.

oc describe secret mysecret

This provides more information on the secret 'mysecret'. This will help to confirm that this is the secret you wish to modify.

oc delete secret mysecret

This will delete the secret named 'mysecret'. Your actual secret will likely have a different name.

oc create secret generic mysecret --from-file=./prod

This will recreate the secret with the contents of the local directory "prod". Deleting secrets will not remove their mount on a deployment configuration. Updated secrets will be available upon restarting or redeploying existing pods.

oc delete pod mypod

Updating the secret does not automatically redeploy, so it is necessary to manually trigger the pods to pick up the new values by deleting the existing pods.

Last Updated: 
Tuesday, June 2, 2020