Skip to content
Docs  >  Development  >  Configuration  >  Secrets Management

Secrets

Learn how to securely handle secrets, API keys, passwords, and certificates in your applications.

Introduction

Secrets contain sensitive information like passwords, API keys, and certificates that your applications need to function. OpenShift provides Kubernetes Secrets to store this data securely, separate from your application code and container images.

Why use Secrets:

  • Keep sensitive data out of container images and code repositories
  • Enable secret rotation without rebuilding applications
  • Support different secret types for various use cases

Kubernetes Secrets vs External Solutions:

  • Kubernetes Secrets: Built-in, simple to use, suitable for most applications and environments
  • External Secret Management: Advanced option for organizations needing centralized secret management, automatic rotation, detailed audit trails, or managing secrets across multiple clusters

Creating Secrets

Create Directly in OpenShift

Never store secrets in code repositories. Instead, create them directly in OpenShift using one of these methods:

Option 1: OpenShift Web Console (Recommended)

  1. Open your OpenShift web console
  2. Navigate to your project/namespace
  3. Go to Workloads > Secrets
  4. Click Create > Key/value secret
  5. Add your secret name and key-value pairs
  6. Click Create

Option 2: OpenShift CLI

oc create secret generic app-secrets \
  --from-literal=database-url="postgresql://user:pass@db.example.com:5432/myapp" \
  --from-literal=stripe-secret-key="sk_test_1234567890abcdef" \
  --from-literal=sendgrid-api-key="SG.AbCdEf123456.XyZ789Example"

Option 3: External Secret Management

For advanced use cases, external secret management tools like HashiCorp Vault and Azure Key Vault can automatically sync secrets into OpenShift.

Use when you need centralized management across multiple clusters or advanced security features.

Using Secrets

Environment Variables

Most common way to consume secrets:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      containers:
      - name: my-app
        image: my-app:latest
        env:
        # Reference specific secret keys
        - name: DATABASE_URL
          valueFrom:
            secretKeyRef:
              name: app-secrets
              key: database-url
        - name: STRIPE_SECRET_KEY
          valueFrom:
            secretKeyRef:
              name: app-secrets
              key: stripe-secret-key
        # Or use envFrom to load all keys
        envFrom:
        - secretRef:
            name: app-secrets

Volume Mounts

For configuration files and certificates:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      containers:
      - name: my-app
        image: my-app:latest
        volumeMounts:
        - name: tls-certs
          mountPath: /etc/ssl/certs
          readOnly: true
        - name: config-files
          mountPath: /app/config
          readOnly: true
      volumes:
      - name: tls-certs
        secret:
          secretName: my-tls-secret
      - name: config-files
        secret:
          secretName: config-secret

Complete Example: Application with Secrets

Step 1: Create Secret in OpenShift Web Console

  1. Navigate to Workloads > Secrets in your project
  2. Click Create > Key/value secret
  3. Name: app-secrets
  4. Add keys:
  5. database-url: postgresql://user:password@db.example.com:5432/myapp
  6. stripe-secret-key: sk_test_1234567890abcdef
  7. sendgrid-api-key: SG.AbCdEf123456.XyZ789Example

Step 2: Reference Secret in Your GitOps Repository

# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: my-app:latest
        env:
        - name: DATABASE_URL
          valueFrom:
            secretKeyRef:
              name: app-secrets  # References secret created in OpenShift
              key: database-url
        - name: STRIPE_SECRET_KEY
          valueFrom:
            secretKeyRef:
              name: app-secrets
              key: stripe-secret-key
        - name: SENDGRID_API_KEY
          valueFrom:
            secretKeyRef:
              name: app-secrets
              key: sendgrid-api-key

Secret Updates

When you update a secret, pods don't automatically pick up the changes. You need to restart the deployment for the new secret values to take effect: 

oc rollout restart deployment/my-app

Next Steps

Now that you understand secrets management:

  • ConfigMaps - Manage non-sensitive application configuration
  • Storage - Persistent storage for your applications