Azure First Community

loading...
Cover image for Sync GitHub with  Kubernetes cluster secrets with GitHub Actions

Sync GitHub with Kubernetes cluster secrets with GitHub Actions

r3cha profile image Roman Klevtsov ・Updated on ・2 min read

Export GitHub and Kubernetes Secrets using GitHub Actions CI/CD.

Hello, do you love GitHub Actions so much as we? πŸ‘Ύ

I think you want to use Github Secrets to store your environment variables and sync with Kubernetes secrets. All fine when we have the only one production environment.

Add secrets at repository settings

Alt Text

Then easily create a Kubernetes secret contains your picked GitHub Secrets like this:

- uses: Azure/[email protected]
  with:
    namespace: ${{ env.NAMESPACE }}
    secret-type: 'generic'
    secret-name: application-secret-name
    arguments:
      --from-literal=API_SECRET_NAME_ONE=${{ secrets.API_SECRET_NAME_ONE }}
      --from-literal=API_SECRET_NAME_TWO=${{ secrets.API_SECRET_NAME_TWO }}
Enter fullscreen mode Exit fullscreen mode

😞 But usually we have multiple environments

And at this moment GitHub does not support environments for Secrets where you can split your keys. For example something like ${{ secrets.production.KEY_NAME }}.

πŸ€” Hmm what will be a simple and quick solution without additional coding?

  • Right! Use namespace in GitHub Secret names: ${{ secrets.STAGING_KEY_NAME }}. We can combine shared and namespace secrets between the environment and create Kubernetes secret during the deployment process.

For staging environment:

- uses: Azure/[email protected]
  if: ${{ contains(env.NAMESPACE, 'staging') }}
  with:
    namespace: staging
    secret-type: 'generic'
    secret-name: application-secret-name
    arguments: |
      --from-literal=SOME_KEY=${{ secrets.SOME_KEY }}
      --from-literal=SOME_USERNAME=${{ secrets.STAGING_SOME_USERNAME }}
      --from-literal=API_KEY_ONE=${{ secrets.STAGING_API_KEY_ONE }}
      ...
Enter fullscreen mode Exit fullscreen mode

Same code for your production environment.

It's simple and works flawlessly! But YAML looks big & scary if you have few environments and a lot of secrets for each of them.

Take a look at our dead simple solution!

We know from GitHub Actions docs that secrets has two type of access:

  • property dereference syntax ${{ secrets.SOME_ENV }}
  • hash-like brackets ${{ secrets['SOME_ENV'] }} Same time has format function that accepts any number of argument and you can interpolate them as want. Like we need format('{0}_{1}', 'STAGING', β€˜SOME_SECRET') will return string 'STAGING_SOME_SECRET'. Combine this two knowledges and write a common YAML code that will create secrets for all your environments (in our case staging and production).

Here is:

- uses: Azure/[email protected]
  with:
    namespace: env.NAMESPACE
    secret-type: 'generic'
    secret-name: application-secret-name
    arguments: |
      --from-literal=SHARED_SECRET=${{ secrets.SHARED_SECRET }}
      --from-literal=SOME_SECRET_ONE=${{ secrets[format('{0}_{1}', env.NAMESPACE, 'SOME_SECRET_ONE')] }}
      --from-literal=SOME_SECRET_TWO=${{ secrets[format('{0}_{1}', env.NAMESPACE, 'SOME_SECRET_TWO')] }}
Enter fullscreen mode Exit fullscreen mode

This create shared secrets for all environments like SHARED_SECRET and also some specific secrets STAGING_SOME_SECRET_TWO and PRODUCTION_SOME_SECRET_TWO as SOME_SECRET_TWO for related Kubernetes namespaces.

The secret will be created in the cluster context which was set earlier in the workflow by using either azure/aks-set-context or `azure/k8s-set-context

This Github Secret Azure/k8s-create-secret works with other Kubernetes clusters - only one thing you need to be sure that you're able to run kubectl command at your cluster. Personally, I test this action on GCP Cluster and Azure Kubernetes Service.

Thanks for reading!

Photo at top by Nubelson Fernandes on Unsplash

Discussion (0)

pic
Editor guide