oc -n "${NAMESPACE}" delete secret "${SECRET_NAME}"
oc -n "${NAMESPACE}" create secret generic "${SECRET_NAME}" --from-env-file="secrets/${SECRET_NAME}.env"NOTE: Deploying secrets will not affect running Pods. They need to be restarted or redeployed to pull any changed configuration.
The following examples explain their behavior with my-first-secret hosting
ALPHA="earth"
BRAVO="mars"and my-second-secret hosting
BRAVO="saturn"
CHARLIE="neptune"See EnvFromSource and SecretEnvSource
Using envFrom and secretRef we can conveniently import the whole Secret:
kind: DeploymentConfig
apiVersion: v1
spec:
template:
spec:
containers:
- name: my-container
envFrom:
- secretRef:
name: my-first-secret
- secretRef:
name: my-second-secret
prefix: FUNKY_The Pod will know the following ENV:
ALPHA="earth"
BRAVO="mars"
FUNKY_BRAVO="saturn"
FUNKY_CHARLIE="neptune"See EnvVar and EnvVarSource and SecretKeySelector
Using env and secretKeyRef we can import specific values from a Secret:
kind: DeploymentConfig
apiVersion: v1
spec:
template:
spec:
containers:
- name: my-container
env:
- name: MY_KINDA_THING
valueFrom:
secretKeyRef:
key: ALPHA
name: my-first-secretThe Pod will know the following ENV:
MY_KINDA_THING="earth"If you need to use the secrets in bash, the following might help:
SECRET_NAME_KAFKA="kafka-preprod"
OC_KAFKA_SECRET=$(oc -n "${OS_NAMESPACE}" get secret "${SECRET_NAME_KAFKA}" --export -o json)
KAFKA_BROKER_HOST=$(echo -n "${OC_KAFKA_SECRET}" | tr '\r\n' ' ' | jq -r '.data["KAFKA_BROKER_HOST"] | @base64d')
KAFKA_SASL_USERNAME=$(echo -n "${OC_KAFKA_SECRET}" | tr '\r\n' ' ' | jq -r '.data["KAFKA_SASL_USERNAME"] | @base64d')
KAFKA_SASL_PASSWORD=$(echo -n "${OC_KAFKA_SECRET}" | tr '\r\n' ' ' | jq -r '.data["KAFKA_SASL_PASSWORD"] | @base64d')
KAFKA_PROPERTIES_FILE="$(pwd)/kafka.properties"
echo "sasl.mechanism=PLAIN
security.protocol=SASL_SSL
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
username=\"${KAFKA_SASL_USERNAME}\" \
password=\"${KAFKA_SASL_PASSWORD}\";
" > "${KAFKA_PROPERTIES_FILE}"