Chapter 12. Application Secrets Management
Every application has information that needs to be kept confidential. This information could include database credentials, external service authentication, or even the location of certain resources. All of these are collectively called secrets. Your application needs a secure place to store these secrets both during application startup and at rest. In this chapter, we will discuss secret management using Kubernetes and Vault.
12.1 Storing Data Using Kubernetes Secrets
Problem
You want to store secrets in Kubernetes in a safer way than directly on the Pod or container.
Solution
Use Kubernetes secrets to store and retrieve sensitive data such as passwords, tokens, or SSH keys in plain text on a container.
Kubernetes has the concept of secret objects that can be used to store sensitive data.
It is important to know that storing sensitive data in a secret object does not automatically make it secure because Kubernetes does not encrypt data but instead encodes it in Base64 by default. Using secrets gives you some features that are not provided by the standard configuration process:
-
You can define the authorization policies to access the secret.
-
You can configure Kubernetes to encrypt sensitive data (this is known as encryption at rest).
-
You can grant access to a specific container instance using lists.
Important
None of these features are enabled by default, and they require some knowledge about Kubernetes. In the book, we explain ...
Get Quarkus Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
