Kubernetes and secrets is always a difficult problem. I’ve got a super simple solution using AWS SSM today that we can use during our CI/CD pipeline to inject our secrets into our services. This is so simple and quick, that you might miss it, so I’ll get to it.

First, log into AWS and open up Systems Manager. Go to Parameter Store, and create a new Parameter. The parameter type needs to be SecureString, feel free to name it whatever you like; I like to go with /<cloud_provider>-secret/k8s/<application>/<environment>. Add the contents of secret.yaml as the parameter’s value.

apiVersion: v1
kind: Secret
metadata:
  name: wp-secrets
  namespace: wp-custom-domain
data:
  wordpress_db_password: QXdm .. mRUg=

Secondly, jump into your CI configuration and add the following as a step prior to creating your Kubernetes Deployment.

# create secrets
# /do/k8s/$APP_TYPE/$CI_ENVIRONMENT_NAME
aws ssm get-parameters-by-path \
  --path "/${CLOUD_PROVIDER}-secret/k8s/${APP_TYPE}/" \
  --query "Parameters[?Name==\`/do/k8s/${APP_TYPE}/${CI_ENVIRONMENT_NAME}\`].Value" \
  --with-decryption --output text | kubectl apply -f -

Finally, configure your Deployment spec to include the value of the secret using the valueFrom directive.

spec:
  containers:
  - name: wordpress
    image: _/wordpress:5.3.2
    env:
    - name: WORDPRESS_DB_PASSWORD
      valueFrom:
         secretKeyRef:
           name: wp-secrets
           key:  wordpress_db_password

The only thing you need to do now is run your CI Deployment and your secrets will be available in Kubernetes! See, I told you it was simple! This is a simple, yet effective way to deploy secrets into your environment while keeping them out of source code.