1
00:00:00,920 --> 00:00:05,130
In this video we're going to learn how to create a secret inside of a Cuban 80s cluster.

2
00:00:05,150 --> 00:00:11,240
So here's the command we're going to run Cuba's GTL create secret generic than the name of the secret.

3
00:00:11,450 --> 00:00:14,040
Then dash dash from literal equals.

4
00:00:14,060 --> 00:00:17,200
Then the key that we want to set and the value for it.

5
00:00:17,210 --> 00:00:18,500
Couple of notes on this.

6
00:00:18,530 --> 00:00:20,290
First off the word generic right here.

7
00:00:20,300 --> 00:00:24,950
There are different kinds of secrets we can create intranets is an example of a different kind of secret

8
00:00:24,950 --> 00:00:30,050
we can create is some information related to accessing a repository of Docker images.

9
00:00:30,080 --> 00:00:32,000
That is a different kind of secret.

10
00:00:32,150 --> 00:00:38,120
We are creating a generic secret which means this is just a all purpose kind of secret piece of information

11
00:00:39,280 --> 00:00:40,440
the name of the secret.

12
00:00:40,450 --> 00:00:44,800
Right here is very similar to the names we assign to pods or deployments.

13
00:00:44,800 --> 00:00:50,650
This is mostly used for logging purposes but in the case of a secret we also use this to refer to inside

14
00:00:50,650 --> 00:00:56,350
of a pod config file you'll see an example that very shortly over here on the right hand side we can

15
00:00:56,350 --> 00:01:00,430
assign many different properties or many different key value pairs into a secret.

16
00:01:00,430 --> 00:01:09,450
In this case we are saying one key value pair of Jason Webb token or JWT equals a SDF and there's another

17
00:01:09,450 --> 00:01:10,690
note I want to give you here.

18
00:01:10,800 --> 00:01:17,040
This is an example of an imperative command in Cuban edits imperative commands are where we run a command

19
00:01:17,070 --> 00:01:23,610
to to rate an actual object for everything else we've done in Cuba and so far we have not used an imperative

20
00:01:23,610 --> 00:01:27,160
approach where we run commands to directly create objects.

21
00:01:27,330 --> 00:01:33,240
Instead we used a more declarative approach where we wrote out a config file and then applied that config

22
00:01:33,240 --> 00:01:34,320
file.

23
00:01:34,380 --> 00:01:38,190
The reason that we are using this imperative approach right here is because we don't really want to

24
00:01:38,190 --> 00:01:42,820
have a config file that lists out the value of our secrets.

25
00:01:42,930 --> 00:01:46,590
We don't necessarily have to list out the value of a secret inside the config file.

26
00:01:46,590 --> 00:01:51,690
We can technically use a local environment variable on your machine and then refer to that from the

27
00:01:51,690 --> 00:01:52,860
config file.

28
00:01:52,860 --> 00:01:57,460
And so that would still allow us to have a more declarative approach.

29
00:01:57,510 --> 00:01:59,960
So this is just a very easy way of creating a secret.

30
00:02:00,000 --> 00:02:04,890
The one downside to it is that anytime you start to create or spin up a new cluster you are going to

31
00:02:04,890 --> 00:02:08,570
have to remember all the different secrets that you had created over time.

32
00:02:08,580 --> 00:02:13,200
So even though this is very easy to run right now it does not require us to create a config file or

33
00:02:13,200 --> 00:02:16,140
set up some local environment variable or anything like that.

34
00:02:16,170 --> 00:02:22,390
There is a cost to pay down the line as we have to remember the different secrets now what I do personally.

35
00:02:22,900 --> 00:02:27,730
I have never I'm working on a cluster and I'm creating secrets manually in this style.

36
00:02:27,730 --> 00:02:34,440
I will essentially just take this exact command right here and story in some very very secure location.

37
00:02:34,510 --> 00:02:37,320
I usually do not really do that for production deployments.

38
00:02:37,330 --> 00:02:40,750
Instead I will write out that or take that config file approach.

39
00:02:40,810 --> 00:02:45,910
But for a development or a staging or a test environment I will usually just kind of copy paste this

40
00:02:45,910 --> 00:02:47,910
somewhere else in a very secure location.

41
00:02:47,920 --> 00:02:50,380
I'm not going to tell you where I store it in particular.

42
00:02:50,530 --> 00:02:53,690
You could do some research on your own and just throw the command over there.

43
00:02:53,710 --> 00:02:57,610
So any time I need to remember all the different secrets that exists I can just go and reference that

44
00:02:57,610 --> 00:02:58,310
file.

45
00:02:58,720 --> 00:02:58,960
OK.

46
00:02:58,990 --> 00:03:00,070
So let's go over to our terminal.

47
00:03:00,070 --> 00:03:04,450
We are going to run that command back over here.

48
00:03:04,450 --> 00:03:08,260
We'll do a cube Seitel and then create secret generic

49
00:03:12,940 --> 00:03:21,850
well then put down the name of the secrets which is JWT dash secret then dash dash from literal and

50
00:03:21,850 --> 00:03:24,750
then our key value pair we want to set inside of here.

51
00:03:24,760 --> 00:03:31,090
So on this diagram I said JWT is a SDF that's probably not a great key value pair just because it's

52
00:03:31,090 --> 00:03:37,650
implying that the value of JWT is a SDF maybe a better thing to use here or be something like Jeb U

53
00:03:37,750 --> 00:03:40,980
W T E or something like that equals SDF.

54
00:03:41,020 --> 00:03:49,990
That B might be a little bit more clear but can do JWT underscore E equals SDF naturally in reality

55
00:03:50,020 --> 00:03:51,490
you probably want to use a string here.

56
00:03:51,490 --> 00:03:57,490
Way more complicated than SDF do you might want to do something like that but for me in a development

57
00:03:57,520 --> 00:04:01,360
environment SDF is just fine okay.

58
00:04:01,420 --> 00:04:02,980
So now the secret is created.

59
00:04:03,210 --> 00:04:07,590
We can always get a list of all the different secrets that exist inside of our cluster by doing a QC

60
00:04:07,600 --> 00:04:09,980
tell it secrets.

61
00:04:10,280 --> 00:04:15,710
And so you'll see in my case I've got a couple of secrets that already exist such as stripe a Postgres

62
00:04:15,720 --> 00:04:20,690
password and the one that we just created two seconds ago.

63
00:04:20,800 --> 00:04:22,090
OK so now we've created that secret.

64
00:04:22,090 --> 00:04:25,070
We need to somehow get it into our pods.

65
00:04:25,120 --> 00:04:29,650
So we need to take the information so that secret and set it on the enviroment variables for each of

66
00:04:29,650 --> 00:04:35,800
our different pods to do so we're going to open up our pod config file or more precisely our deployment

67
00:04:35,800 --> 00:04:36,880
config file.

68
00:04:36,880 --> 00:04:42,580
We're going to add in some options to our pod configuration spec that's going to tell communities that

69
00:04:42,580 --> 00:04:48,550
whenever it creates this pod we want to find the secret get that JWT underscore piece of information

70
00:04:48,820 --> 00:04:54,410
and assign it to the set of environment variables that are peer inside of that container so let's go

71
00:04:54,410 --> 00:05:01,480
and find our deployment config file that is inside of our in Fred rectory off dash devil.

72
00:05:01,490 --> 00:05:07,300
So this is the only God that we're creating right now through this deployment so we need to somehow

73
00:05:07,390 --> 00:05:13,690
reference that secret and tell Cooper 90s to include it as an environment variable inside of this container

74
00:05:13,750 --> 00:05:18,390
right here to do so right after image.

75
00:05:18,390 --> 00:05:22,630
We're gonna throw in a new line and put in an end section EMV.

76
00:05:22,800 --> 00:05:24,840
This is short for environment variable.

77
00:05:24,840 --> 00:05:28,170
So this is where we're going to list out all the different environment variables we want to have access

78
00:05:28,170 --> 00:05:30,630
to inside of this container.

79
00:05:30,680 --> 00:05:34,240
This is going to be an array so going to put down a single Dash.

80
00:05:34,280 --> 00:05:39,140
Right now we're going to have just a single entry I'm going to put in a name property.

81
00:05:39,210 --> 00:05:44,620
This is going to be the name of the environment variable as it shows up inside of that container.

82
00:05:44,640 --> 00:05:50,790
So when we start up our off application name right here is going to be the property on our set of environment

83
00:05:50,790 --> 00:05:55,750
variables that we're going to access inside of our off at for us.

84
00:05:55,760 --> 00:05:57,020
We'll just stay very consistent.

85
00:05:57,020 --> 00:06:00,860
We're going to use a name of J.W. key to underscore key

86
00:06:03,640 --> 00:06:07,300
then we're going to tell Cuban entities that we want the value for this enviroment variable to come

87
00:06:07,300 --> 00:06:09,040
from the secret that we just created.

88
00:06:09,040 --> 00:06:15,960
So we will write out value from secret key ref which is short for reference.

89
00:06:16,140 --> 00:06:23,470
Well then list out the name of the secret to the name of the secret that we just created was JWT dash

90
00:06:23,530 --> 00:06:30,780
secret so put in JWT dash secret and then the key inside there.

91
00:06:31,210 --> 00:06:34,540
So remember inside of a secret we can have many different key value pairs.

92
00:06:34,570 --> 00:06:37,860
We just used a key of JWT to underscore key.

93
00:06:37,870 --> 00:06:42,370
So we want to look up this key value pair and give us the value for it.

94
00:06:42,370 --> 00:06:47,690
So for keyhole but in JWT we like so much should be it.

95
00:06:47,970 --> 00:06:48,560
It's all now safe.

96
00:06:48,580 --> 00:06:55,510
This I going to go back over to my terminal take a look at scaffold and I'll see that a change was made

97
00:06:55,510 --> 00:06:57,130
to my off deployment.

98
00:06:57,160 --> 00:07:00,260
Now I do want to show you something really really interesting very quickly.

99
00:07:00,310 --> 00:07:04,690
This is something that might help you out in the line really quick back inside of another terminal window.

100
00:07:04,690 --> 00:07:05,890
I'm gonna do a cube Seitel.

101
00:07:05,890 --> 00:07:08,050
Get pods and I'll see that.

102
00:07:08,050 --> 00:07:08,520
Yep.

103
00:07:08,530 --> 00:07:14,010
My pod is running right there I'm now going to go backwards that same config file and I encourage you

104
00:07:14,070 --> 00:07:15,050
not to do this.

105
00:07:15,090 --> 00:07:17,050
This is just a very quick example.

106
00:07:17,250 --> 00:07:21,600
I'm gonna find the secret key ref I'm gonna find the name of the secret we want to load up and I'm gonna

107
00:07:21,600 --> 00:07:23,450
change it to gibberish.

108
00:07:23,580 --> 00:07:28,370
So this is a reference to a key that does not exist inside of our cluster.

109
00:07:28,470 --> 00:07:34,370
I'm then going to save this what makeover if I go to scaffold I'll see that.

110
00:07:34,380 --> 00:07:34,900
Hey.

111
00:07:35,040 --> 00:07:35,340
All right.

112
00:07:35,340 --> 00:07:39,540
Looks like the deployment was configured but I got an error right here from something.

113
00:07:39,540 --> 00:07:42,400
Who knows what's actually throwing this there that says secret blah blah blah.

114
00:07:42,510 --> 00:07:46,480
Not found little bit more interesting than that little error though.

115
00:07:46,740 --> 00:07:50,100
If I go and do another QCT I'll get pods.

116
00:07:50,100 --> 00:07:55,620
I'm going to get a another pod right here for our off deployment that has a status of rate container

117
00:07:55,650 --> 00:07:58,210
config air to debug this.

118
00:07:58,230 --> 00:08:02,850
We would do a describe statement or run the described command on this pod.

119
00:08:02,940 --> 00:08:10,730
I'll do a cube Seitel describe pod and then put in the name of the pod that I want to describe when

120
00:08:10,730 --> 00:08:11,360
I run that.

121
00:08:11,390 --> 00:08:15,580
I then get the air that says secret blah blah blah not found.

122
00:08:15,590 --> 00:08:19,760
So it turns out that if you tried to load a secret or references secret inside of a pod that doesn't

123
00:08:19,760 --> 00:08:20,430
exist.

124
00:08:20,450 --> 00:08:23,670
Cuban eddies is just going to not start up that port.

125
00:08:23,720 --> 00:08:28,040
This is just like I said something to keep in mind because I've ran into this issue every now and then

126
00:08:28,430 --> 00:08:30,450
where I will try to deploy something new.

127
00:08:30,470 --> 00:08:35,360
I'll then get a create container config error and I say to myself what's going on here.

128
00:08:35,390 --> 00:08:40,310
And so you do the describe and it turns out you might have made a typo in the name of the secret.

129
00:08:40,330 --> 00:08:40,610
All right.

130
00:08:40,630 --> 00:08:44,520
I'm going to revert that change back to JWT dash secret.

131
00:08:44,560 --> 00:08:47,910
So now if I save this I should build a flip back over.

132
00:08:47,950 --> 00:08:50,400
Take a look at scaffold again.

133
00:08:50,450 --> 00:08:52,250
Looks like there's still an issue here.

134
00:08:52,250 --> 00:08:56,180
I'm not really gonna sweat that too much if I do a cube C.T. I'll get pods.

135
00:08:56,510 --> 00:08:57,320
Yeah that's better.

136
00:08:57,320 --> 00:08:59,510
So looks like everything is back to running as expected.

137
00:09:00,950 --> 00:09:01,220
OK.

138
00:09:01,280 --> 00:09:03,240
So we have now created our secret.

139
00:09:03,290 --> 00:09:05,670
We have bound it to a very specific container.

140
00:09:05,720 --> 00:09:10,430
And the last thing we have to do is go into the application that's running inside of that container

141
00:09:11,000 --> 00:09:16,760
and make sure that we start to reference that environment variable called JWT underscore key.

142
00:09:16,760 --> 00:09:18,630
So let's take care of that in just a moment.