Lesson 9 - Mounting Secrets as Volumes

josepmaria

Hello,

On Lesson 9, mounting secrets as Volumes, it is said that we can verify that the secret is accessible in the container, by running the command:

$ kubectl ......................--cat/mysqlpassword/password

However, given the configuration of the secret spec on the same page, the secret name is mysql

Therefore, the command to verify if the secret is running on the container, perhaps it should be:

$ kubectl ......................--cat/mysqlpassword/mysql

I would appreciate if someone could shed some light on this.

Thank you,

Josep Maria

fazlur.khan

Hello @josepmaria,

When you mount a secret as a volume, the "keys" of the secrets will be created as files and the content of those files will be the "value".

In the above example - kubectl create secret generic mysql --from-literal=password=root
name of secret is mysql -
name of the key is password
value of the key is root

When you mount the secret mysql at the path /mysqlpassword (as per the yaml in the example), you will find the "keys" as files.

TLDR, The command mentioned in the course is correct to view the secret you will " kubectl exec -ti busybox -- cat /mysqlpassword/password"

Regards,
Fazlur

josepmaria

Hello @fazlur.khan ,

Thanks for your answer.

In the provided specs for Lesson 9, Mounting secrets as Volumes, we can see:

....
volumeMounts:
- mountPath: /mysqlpassword
name: mysql
name: busy
volumes:
- name: mysql
secret:
secretName: mysql

If the key is mysql, I do not understand why the command to view the password is not :
" kubectl exec -ti busybox -- cat /mysqlpassword/mysql"
instead of
" kubectl exec -ti busybox -- cat /mysqlpassword/password"

Please kindly let me know.

Thank you.

Josep Maria

fazlur.khan

To access data from a Secret in a Pod, you can let Kubernetes create a file inside the Pod's container(s) that contains the Secret's value.

For example, if you have a Secret called mysql with a key-value pair like "password: admin", Kubernetes can place this value in a file (e.g., /mysqlpassword/password) inside the container. The container can then read the file to get the password.

In the yaml manifest, we are referring the secret name, the contents of the secret will be created as files and made available at the path you want it to be mounted.

The key is not mysql, mysql is the secret name and you are just referencing it. You are asking all of the contents of this secret "mysql" to be made available as files in the mountpath of your choice.

josepmaria

Hello @fazlur.khan ,

I appreciate your quick answer.

Now I understand. Thank you very much.

Sincerely,

Josep Maria