1

I am using GCP Container Engine in my project and now I am facing some issue that I don't know if it can be solved via secrets.

One of my deployments is node-js app server, there I use some npm modules which require my GCP service account key (.json file) as an input.

The input is the path where this json file is located. Currently I managed to make it work by providing this file as part of my docker image and then in the code I put the path to this file and it works as expected. The problem is that I think that it is not a good solution because I want to decouple my nodejs image from the service account key because the service account key may be changed (e.g. dev,test,prod) and I will not be able to reuse my existing image (unless I will build and push it to a different registry).

So how could I upload this service account json file as secret and then consume it inside my pod? I saw it is possible to create secrets out of files but I don't know if it is possible to specify the path to the place where this json file is stored. If it is not possible with secrets (because maybe secrets are not saved in files...) so how (and if) it can be done?

Improve this question

2 Answers 2

Reset to default
1

You can make your json file a secret and consume in your pod. See the following link for secrets (http://kubernetes.io/docs/user-guide/secrets/), but I'll summarize next:

First create a secret from your json file:

kubectl create secret generic nodejs-key --from-file=./key.json

Now that you've created the secret, you can consume in your pod (in this example as a volume):

{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "nodejs" }, "spec": { "containers": [{ "name": "nodejs", "image": "node", "volumeMounts": [{ "name": "foo", "mountPath": "/etc/foo", "readOnly": true }] }], "volumes": [{ "name": "foo", "secret": { "secretName": "nodejs-key" } }] } }

So when your pod spins up the file will be dropped in the "file system" in /etc/foo/key.json

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I think you deploy on GKE/GCE, you don't need the key and it's going to work fine.

I've only tested with Google Cloud Logging but it might be the same for other services as well.

Eg: i only need the below when deploying app on gke/gce

var loggingClient = logging({ projectId: 'grape-spaceship-123' });
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.