Deployment, secrets

skateco · Sep 17, 2024 · 26a9b25 · 26a9b25
1 parent e5fc43a
commit 26a9b25
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 52 deletions.
diff --git a/content/docs/components/deployments.md b/content/docs/components/deployments.md
@@ -29,55 +29,3 @@ spec:
 All pods in a deployment automatically receive a dns listing under `<name>.<namespace>.pod.cluster.skate`.
 See [Services](/docs/components/services) for more information on exposing the deployment as a service which is more reliable.
 
-## Injecting secrets
-
-Secrets within the same namespace can be injected via:
-```yaml
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx
-  namespace: my-app
-spec:
-  ...
-  template:
-    spec:
-      containers:
-      - name: echo
-        ...
-        env:
-        - name: TEST_SECRET
-          valueFrom:
-            secretKeyRef:
-              name: test
-              key: password
-
-```
-## Mounting Secrets
-
-```yaml
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx
-  namespace: my-app
-spec:
-  ...
-  template:
-    spec:
-      containers:
-      - name: echo
-        ...
-        volumeMounts:
-        - name: test-mount
-          mountPath: /etc/foo
-          readOnly: true
-      volumes:
-      - name: test-mount
-        secret:
-          secretName: test
-          optional: false
-```
-
diff --git a/content/docs/components/secrets.md b/content/docs/components/secrets.md
@@ -4,3 +4,74 @@ date = 2024-09-13T12:58:25+02:00
 draft = false
 type="docs"
 +++
+
+Secrets are scheduled across all nodes in the cluster, stored as [podman secrets](https://docs.podman.io/en/latest/markdown/podman-secret-create.1.html)
+
+```shell
+cat <<<EOF | skate apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test
+  namespace: my-app
+type: Opaque
+data:
+  username: dXNlcg==
+  password: NTRmNDFkMTJlOGZh
+EOF
+```
+
+`podman kube play` actually stores the full yaml as the secret value, and supports injecting or mounting secrets into containers.
+
+## Injecting secrets
+
+Secrets within the same namespace can be injected via:
+```yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  namespace: my-app
+spec:
+  ...
+  template:
+    spec:
+      containers:
+      - name: echo
+        ...
+        env:
+        - name: TEST_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: test
+              key: password
+
+```
+## Mounting Secrets
+
+```yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  namespace: my-app
+spec:
+  ...
+  template:
+    spec:
+      containers:
+      - name: echo
+        ...
+        volumeMounts:
+        - name: test-mount
+          mountPath: /etc/foo
+          readOnly: true
+      volumes:
+      - name: test-mount
+        secret:
+          secretName: test
+          optional: false
+```
+