How-To: Access Kubernetes secrets using PodSpec

Learn how to patch Kubernetes secrets into the container environment using PodSpec definitions

This how-to guide will provide an overview of how to:

  • Patch existing Kubernetes secrets using PodSpec definitions and provide them to the environment of a container.

Prerequisites

Step 1: Define a container

Begin by creating a file named app.bicep with a Radius container:

extension radius

@description('Specifies the environment for resources.')
param environment string

resource app 'Applications.Core/applications@2023-10-01-preview' = {
  name: 'demo'
  properties: {
    environment: environment
  }
}

resource demo 'Applications.Core/containers@2023-10-01-preview' = {
  name: 'demo'
  properties: {
    application: app.id
    container: {
      image: 'ghcr.io/radius-project/samples/demo:latest'
      ports: {
        web: {
          containerPort: 3000
        }
      }
    }
  }
}

Step 2: Deploy the app and container

Run this command to deploy the app and container:

rad run ./app.bicep -a demo

Once the deployment completes successfully, you should see the following confirmation message along with some system logs:

Building app.bicep...
Deploying template 'app.bicep' for application 'demo' and environment 'dev' from workspace 'dev'...

Deployment In Progress...

..                   demo            Applications.Core/containers
Completed            demo            Applications.Core/applications

Deployment Complete

Resources:
    demo            Applications.Core/applications
    demo            Applications.Core/containers

Starting log stream...

+ demo-7d94db59f6-ps6cf › demo
demo-7d94db59f6-ps6cf demo No APPLICATIONINSIGHTS_CONNECTION_STRING found, skipping Azure Monitor setup
demo-7d94db59f6-ps6cf demo Using in-memory store: no connection string found
demo-7d94db59f6-ps6cf demo Server is running at http://localhost:3000
dashboard-7f7db87c5-7d2jf dashboard [port-forward] connected from localhost:7007 -> ::7007
demo-7d94db59f6-ps6cf demo [port-forward] connected from localhost:3000 -> ::3000

Verify the pod is running:

kubectl get pods -n dev-demo

You should see the following output in your console:

NAME                    READY   STATUS    RESTARTS   AGE
demo-7d94db59f6-k7dfb   1/1     Running   0          62s

Step 3: Create a secret

Create a secret in your Kubernetes cluster using the following command:

kubectl create secret generic my-secret --from-literal=secret-key=secret-value -n dev-demo

Verify the secret is created:

kubectl get secrets -n dev-demo

Step 4: Patch the secret

Patch the secret into the container by adding the following runtimes block to the container resource in your app.bicep file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
extension radius

@description('Specifies the environment for resources.')
param environment string

resource app 'Applications.Core/applications@2023-10-01-preview' = {
  name: 'demo'
  properties: {
    environment: environment
  }
}

resource demo 'Applications.Core/containers@2023-10-01-preview' = {
  name: 'demo'
  properties: {
    application: app.id
    container: {
      image: 'ghcr.io/radius-project/samples/demo:latest'
      ports: {
        web: {
          containerPort: 3000
        }
      }
    }
    runtimes: {
      kubernetes: {
        pod: {
          volumes: [ {
              name: 'secrets-vol'
              secret: {
                secretName: 'my-secret'
              }
            }
          ]
          containers: [
            {
              name: 'demo'
              volumeMounts: [ {
                  name: 'secrets-vol'
                  readOnly: true
                  mountPath: '/etc/secrets-vol'
                }
              ]
              env: [
                {
                  name: 'MY_SECRET'
                  valueFrom: {
                    secretKeyRef: {
                      name: 'my-secret'
                      key: 'secret-key'
                    }
                  }
                }
              ]
            }
          ]
          hostNetwork: true
        }
      }
    }
  }
}

Step 5: Redeploy the app and container

Redeploy and run your app:

rad app deploy demo

Once the deployment completes successfully, you should see the environment variable in the container.

To validate this, first get the pod name:

kubectl get pods -n dev-demo

You should see the following output in your console, with the pod name:

NAME                    READY   STATUS    RESTARTS   AGE
demo-d64cc4d6d-xjnjz   1/1     Running   0          62s

Then, exec into the pod and check the environment variable (substitute the pod name with the one you got from the previous command):


kubectl -n dev-demo exec demo-d64cc4d6d-xjnjz -- env | grep MY_SECRET

kubectl -n dev-demo exec demo-d64cc4d6d-xjnjz -- env | findstr MY_SECRET

Cleanup

Run the following command to delete your app and container:

rad app delete demo

Further reading