Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Examples of doing some cool things with podman

Secrets

Podman now (well, for a while now) has support for secrets. RedHat has a blog about it. This is particularly useful to 1) maintain better compatibility with Kubernetes manifests and 2) keep your secrets out of your git commits!

So, what is not well documented (that I could find) is that you can use these secrets in a Kubernetes manifest to inject secrets into environment variables. To do this, you have to first base64 encode them as you would for an actual Kubernetes secret.

Here, I'm taking a YAML snippet, using yq to make it to JSON, then using jq to create a base64 encoded JSON. Finally, pass that to podman and tell it to create a secret called ec-creds.

cat <<EOF | yq e -o=json | jq '{ "cloud_id": (.cloud_id | @base64 ), "cloud_auth": (.cloud_auth | @base64)}' | sudo podman secret create ec-creds -
---
cloud_id: "<CLOUD ID NAME>:<ENCODED CLOUD ID}"
cloud_auth: "<CLOUD USER>:<CLOUD PASSWORD>"
EOF

You can now use that in a Kubernetes manifest as normal.

apiVersion: v1
kind: Pod
metadata:
  name: filebeat
spec:
  containers:
  - name: filebeat
    image: docker.elastic.co/beats/filebeat:7.15.0
    env:
      - name: ELASTIC_CLOUD_ID
        valueFrom:
          secretKeyRef:
            name: ec-creds
            key: cloud_id
      - name: ELASTIC_CLOUD_AUTH
        valueFrom:
          secretKeyRef:
            name: ec-creds
            key: cloud_auth
  restartPolicy: Never
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment