The OpenShift secrets functionality allows for storage and access of sensitive information. The OpenShift documentation on secrets can be found here.
Key Points
- All secret data must be Base64 encoded. It will be decoded by OpenShift when your application attempts to access it.
- The secret must be created before it can be referenced by your application. Secrets are project-scoped; all applications within a project--and none outside--have access to a secret.
- The deployment config of your application will need to be modified to mount a volume containing the secret. Use syntax similar to this:
oc volume dc/prod --add --type=secret --secret-name=samlprod --mount-path=/usr/src/app/myapp/local/saml - Reference that location in your code. Note: Each data field within a secret will show up as a separate file within that volume.
Working With Secrets
Use the following commands to work with secrets within your project. Secrets cannot be edited directly. Instead they should be deleted and recreated.
oc get secrets
Provides a list of all secrets in the current namespace. Use this to determine which secret you wish to modify.
oc describe secret mysecret
This provides more information on the secret 'mysecret'. This will help to confirm that this is the secret you wish to modify.
oc delete secret mysecret
This will delete the secret named 'mysecret'. Your actual secret will likely have a different name.
oc create secret generic mysecret --from-file=./prod
This will recreate the secret with the contents of the local directory "prod". Deleting secrets will not remove their mount on a deployment configuration. Updated secrets will be available upon restarting or redeploying existing pods.
oc delete pod mypod
Updating the secret does not automatically redeploy, so it is necessary to manually trigger the pods to pick up the new values by deleting the existing pods.