What I learned today — 30 January 2018

Spring-boot application consuming Kubernetes secrets as application properties.

Using a secret, such as a sensitive password, in a Spring-boot application relies on two things, using secrets as environment variables (a Kubernetes feature) and using environment variables to set application properties (a Spring-boot feature).

Assume you want to set the following application properties:

application.user # Env var equivalent: APPLICATION_USER
application.password # Env var equivalent: APPLICATION_PASSWORD

First, create the secret:

kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='top-secret-password' 

This will create the secret and base64-encode the values.

Next, we’ll create the deployment. I’m omitting most of the code here for brevity:

kind: Deployment
apiVersion: extensions/v1beta1

spec:
  template:
    spec:
      containers:
      - name: your-app
        image: your-spring-boot-app-image:latest
        env
        - name: APPLICATION_USER
          valueFrom:
            secretKeyRef:
              name: test-secret
              key: username
        - name: APPLICATION_PASSWORD
          valueFrom:
            secretKeyRef:
              name: test-secret
              key: password

This setup will replace application.user with my-app and application.password with top-secret-password, based on the values of APPLICATION_USER and APPLICATION_PASSWORD set using the secret’s values.

Much more can be done to make this more secure by limiting access to the secret using RBAC, and secrets can be secured using more advanced secret management, but this is the basic concept.