How to inject Kubernetes Secrets into your application
This feature is currently in early development. Expect improvements for managing secrets with PhariaOS in future releases.
With PhariaOS, you can inject environment variables into your application that reference secrets defined in the deployment namespace.
An example of this is a secret that contains API credentials to an external service provider, with which you would like your application to integrate.
These are important prerequisites to know before you begin.
- You know the name of your Application that was provided to the PhariaOS API when the usecase was registered.
- You (or an administrator) can create and annotate secrets within your PhariaAI namespace.
Accessing your application to the secret
Before you can deploy your application with the secret, you must request your Kubernetes Admin to add (or update) the following annotation to the resource in Kubernetes. As a measure of security, secrets must be specifically annotated to grant explicit access to deployed applications. This prevents unintended exposure of privileged secrets.
Add (or update) the annotation os.pharia.ai/allowed-usecases to the secret. The value must be a string literal (note the enclosing single quotation marks). The contents must be formatted as a comma-delimited array of strings containing the name(s) of the accessed applications.
---
apiVersion: v1
kind: Secret
metadata:
name: my-secret
annotations:
os.pharia.ai/allowed-usecases: '["application 1","application 2"]'
data:
password: some-encrypted-secret
Deploying your application with the secret
To deploy your application with the secret reference injected as an environment variable, include the following object in your deployment request config object (see How to Deploy Applications).
"config": {
"secretEnvVars": [
{
"name": "MY_ENVIRONMENT_VARIABLE",
"secret": {
"name": "my-secret",
"key": "password"
}
}
]
}