Injecting Kubernetes secrets into an application
| This feature is in an early development phase. Future releases will contain improvements in managing secrets with PhariaOS. |
With PhariaOS, you can inject environment variables into your application that reference secrets defined in the deployment namespace.
An example of this is a secret that contains API credentials to an external service provider with which you want your application to integrate.
Prerequisites
-
You must know the name of the application that was provided to the PhariaOS API when the application was registered.
-
You (or an administrator) are able to create and annotate secrets within your PhariaAI namespace.
Access the application with the secret
Before you can deploy your application with the secret, you must request your Kubernetes admin to add (or update) the annotation shown below to the resource in Kubernetes. For security reasons, secrets must be specifically annotated to grant explicit access to deployed applications. This prevents unintended exposure of privileged secrets.
Add (or update) the annotation os.pharia.ai/allowed-usecases to the secret. The value must be a string literal; in the code example below, note the enclosing single quotation marks. The contents must be formatted as a comma-delimited array of strings containing the names of the accessed applications:
---
apiVersion: v1
kind: Secret
metadata:
name: my-secret
annotations:
os.pharia.ai/allowed-usecases: '["application 1","application 2"]'
data:
password: some-encrypted-secretDeploy your application with the secret
To deploy your application with the secret reference injected as an environment variable, include the following object in your deployment request config object (see Deploying custom applications):
"config": {
"secretEnvVars": [
{
"name": "MY_ENVIRONMENT_VARIABLE",
"secret": {
"name": "my-secret",
"key": "password"
}
}
]
}