Podman now (well, for a while now) has support for secrets. RedHat has a blog about it. This is particularly useful to 1) maintain better compatibility with Kubernetes manifests and 2) keep your secrets out of your git commits!
So, what is not well documented (that I could find) is that you can use these secrets in a Kubernetes manifest to inject secrets into environment variables. To do this, you have to first base64 encode them as you would for an actual Kubernetes secret.
Here, I'm taking a YAML snippet, using yq
to make it to JSON, then using jq
to create a base64 encoded JSON. Finally, pass that to podman and tell it to create a secret called ec-creds
.
cat <<EOF | yq e -o=json | jq '{ "cloud_id": (.cloud_id | @base64 ), "cloud_auth": (.cloud_auth | @base64)}' | sudo podman secret create ec-creds -
---
cloud_id: "<CLOUD ID NAME>:<ENCODED CLOUD ID}"
cloud_auth: "<CLOUD USER>:<CLOUD PASSWORD>"
EOF
You can now use that in a Kubernetes manifest as normal.
apiVersion: v1
kind: Pod
metadata:
name: filebeat
spec:
containers:
- name: filebeat
image: docker.elastic.co/beats/filebeat:7.15.0
env:
- name: ELASTIC_CLOUD_ID
valueFrom:
secretKeyRef:
name: ec-creds
key: cloud_id
- name: ELASTIC_CLOUD_AUTH
valueFrom:
secretKeyRef:
name: ec-creds
key: cloud_auth
restartPolicy: Never