Solved: Storing data in a Kubernetes secret

anuprai · 02-23-2021 11:41 PM

We are using Kubernetes secret to store API sensitive data like target client Id, secrets and credentials and we are reading this in API Proxies in Apigee Hybrid.

We referred below documentation to create the secrets -

https://cloud.google.com/apigee/docs/hybrid/v1.3/k8s-secrets

1) We deleted the secrets completely but still proxy was getting the secret values. Are the pods caching these secrets? If yes, what is the ttl for this cache. Is this ttl value configurable?

2) We have given the properties file names as upper and lower case mixed but policies are expecting the file names in all lower case. Is this expected?

dknezic

RE 1, you will need to restart the pods

RE 2 Do you have a specific example of how you're using it in a policy?

View solution in original post

dknezic

RE 1, you will need to restart the pods

RE 2 Do you have a specific example of how you're using it in a policy?

anuprai

I have created a properties file like below -

SampleTest.properties

api-key=secret-key

I am trying to read the value using Assign message policy like below -

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="AM-ExtractSecret">
    <DisplayName>AM-ExtractSecret</DisplayName>
    <Properties/>
    <AssignVariable>
        <Name>apikey</Name>
        <Ref>private.secret.SampleTest.properties.api-key</Ref>
    </AssignVariable>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

This throws an error as unresolved variable. But when I give the file name in AM policy in smaller case then it works -

<Ref>private.secret.sampletest.properties.api-key</Ref>

anuprai

There is a note added in Apigee docs -

https://cloud.google.com/apigee/docs/hybrid/v1.3/k8s-secrets#retrieving-data-from-a-secret

Note: This filename must be in lowercase letters.