Storing data in a Kubernetes secret
We are using Kubernetes secret to store API sensitive data like target client Id, secrets and credentials and we are reading this in API Proxies in Apigee Hybrid.
We referred below documentation to create the secrets -
https://cloud.google.com/apigee/docs/hybrid/v1.3/k8s-secrets
1) We deleted the secrets completely but still proxy was getting the secret values. Are the pods caching these secrets? If yes, what is the ttl for this cache. Is this ttl value configurable?
2) We have given the properties file names as upper and lower case mixed but policies are expecting the file names in all lower case. Is this expected?
Best Answer
Answer by dane knezic
·
Feb 24 at 08:15 AM
RE 1, you will need to restart the pods
RE 2 Do you have a specific example of how you're using it in a policy?
I have created a properties file like below -
SampleTest.properties
api-key=secret-key
I am trying to read the value using Assign message policy like below -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="AM-ExtractSecret">
<DisplayName>AM-ExtractSecret</DisplayName>
<Properties/>
<AssignVariable>
<Name>apikey</Name>
<Ref>private.secret.SampleTest.properties.api-key</Ref>
</AssignVariable>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>
This throws an error as unresolved variable. But when I give the file name in AM policy in smaller case then it works -
<Ref>private.secret.sampletest.properties.api-key</Ref>
There is a note added in Apigee docs -
https://cloud.google.com/apigee/docs/hybrid/v1.3/k8s-secrets#retrieving-data-from-a-secret
Note: This filename must be in lowercase letters.
