Managing Secrets

Kubernetes has the capability to store secrets and make them available to your services. You can store different secrets and use them through your CX Cloud deployment environment variables. To store a secret in applications namespace (it's the default namespace for CX Cloud apps) run the following command:
1
$ kubectl create secret generic prod-db-secret \
2
    --from-literal=username=produser \
3
    --from-literal=password=Y4nys7f11 \
4
    --namespace=applications
Copied!
You have to specify which namespace you want your secret to be created in, because only deployments in that namespace will be able to access the secrets.
Now when you create a deployment, you can reference your secret:
.cxcloud.yaml
1
deployment:
2
  name: my-backend
3
  image:
4
    name: my-backend-image
5
    repository: YOUR_AWS_ECR_REPOSITORY_URL_HERE
6
    version: 1.1.1
7
  containerPort: 8080
8
  replicas: 2
9
  env:
10
    - name: NODE_ENV
11
      value: production
12
    - name: PROD_DB_USERNAME
13
      valueFrom:
14
        secretKeyRef:
15
          name: prod-db-secret
16
          key: username
17
    - name: PROD_DB_PASSWORD
18
      valueFrom:
19
        secretKeyRef:
20
          name: prod-db-secret
21
          key: password
Copied!
When the service is deployed, your secrets will become available under the environment variables you have specified. For example in NodeJS, you can access them like so:
1
console.log(process.env.PROD_DB_USERNAME); // produser
2
console.log(process.env.PROD_DB_PASSWORD); // Y4nys7f11
Copied!
For more information about Kubernetes secrets, visit this article.
Example: Storing and using secrets in NodeJS and `node-config` module
One of the core services that you can generate using the CX Cloud CLI is Commerce service. It is communicating with commercetools platform and thus requires some configurations (like API key, etc). We can take advantage of Kubernetes secrets explained above to store these information without having to publish them to GitHub.
First, generate a service using the CLI and choose Commercetools, as explained in its section.
Then, according to node-config's documentation, create a file named custom-environment-variables.json in the config folder of the generated service with the following content:
1
{
2
  "commerceTools": {
3
    "projectKey": "COMMERCETOOLS_PROJECT_KEY",
4
    "admin": {
5
      "clientId": "COMMERCETOOLS_ADMIN_CLIENT_ID",
6
      "clientSecret": "COMMERCETOOLS_ADMIN_CLIENT_SECRET"
7
    },
8
    "user": {
9
      "clientId": "COMMERCETOOLS_USER_CLIENT_ID",
10
      "clientSecret": "COMMERCETOOLS_USER_CLIENT_SECRET"
11
    }
12
  }
13
}
Copied!
This file will tell node-config to look for those environment variables and map them to certain keys. For example the configuration key commerceTools.admin.clientId will map to COMMRCETOOLS_ADMIN_CLIENT_ID and so on.
Now we have to store those data in Kubernetes and make them available to our service using the specified environment variables. To do that, first let's create a secret in applications namespace:
1
$ kubectl create secret generic prod-commercetools \
2
    --from-literal=projectKey=xxxxxxx \
3
    --from-literal=adminClientId=xxxxxxx \
4
    --from-literal=adminClientSecret=xxxxxxx \
5
    --from-literal=userClientId=xxxxxxx \
6
    --from-literal=userClientSecret=xxxxxxx \
7
    --namespace=applications
Copied!
Replace the xxxxxxx above with your actual data. A secret will be created.
Now modify your .cxcloud.yaml file and add the proper environment variables referencing the secret you just created (new values are added from line 12):
.cxcloud.yaml
1
deployment:
2
  name: $APP_NAME
3
  image:
4
    name: $APP_NAME
5
    repository: xxxxxx.dkr.ecr.eu-west-1.amazonaws.com/newsite.example.com
6
    version: $APP_VERSION
7
  containerPort: 4003
8
  replicas: 2
9
  env:
10
    - name: NODE_ENV
11
      value: production
12
    - name: COMMERCETOOLS_PROJECT_KEY
13
      valueFrom:
14
        secretKeyRef:
15
          name: prod-commercetools
16
          key: projectKey
17
    - name: COMMERCETOOLS_ADMIN_CLIENT_ID
18
      valueFrom:
19
        secretKeyRef:
20
          name: prod-commercetools
21
          key: adminClientId
22
    - name: COMMERCETOOLS_ADMIN_CLIENT_SECRET
23
      valueFrom:
24
        secretKeyRef:
25
          name: prod-commercetools
26
          key: adminClientSecret
27
    - name: COMMERCETOOLS_USER_CLIENT_ID
28
      valueFrom:
29
        secretKeyRef:
30
          name: prod-commercetools
31
          key: userClientId
32
    - name: COMMERCETOOLS_USER_CLIENT_SECRET
33
      valueFrom:
34
        secretKeyRef:
35
          name: prod-commercetools
36
          key: userClientSecret
Copied!
When done, increase the version in your package.json file and run:
1
$ cxcloud deploy
Copied!
Deleting Deployments
Next - Guides
Application Development
Last modified 2yr ago
Copy link
Contents
Example: Storing and using secrets in NodeJS and `node-config` module