OpenShift- Configuring Application Security using Secret.

Khemnath chauhan
3 min readJan 13, 2024

Under this topic we will discuss how we can protect access credentials using secrets.

Key Objectives:

  • Create secrets to manage sensitive information and share secrets between applications.


Applications often require access to sensitive information. For instance to connect to database application requries access to database credentials to connect to database.
Kubernetes and OpenShift uses secret resources to hold sensitive information such as -
- passwords
- sensitive configuration files.
- Credentials to an external resource, such as OAuth tokens.
A secret can store any type of data. Data in a secret is Base64-encoded, not stored in plain text. Secret data is not encrypted, you can decode the secret from Base64 format to access the original data.

Features of secrets:

  • Secret data can be shared within a project namespace.
  • Secret data is referenced independently. Administrators can create and manage a secret resource that other team members can reference in their deployment configurations
  • Secret data is injected into pods when Openshift creates a pod. You can expose a secret as an environment variable or as a mounted file in the pod.
  • If the value of a secret changes during pod execution, the secret data in the pod doesn’t update. After a secret value changes, you must create a new pods to inject the new secret data.
  • Any secret data that OpenShift injects into a pod is ephemeral. If OpenShift exposes sensitive data to a pod as environment variables, then those variables are destroyed when the pod is destroyed.

Use Cases for Secrets:

Main use cases of secrets are storing credentials and securing communication between services.


Store sensitive information such as password and user names.

  • If an application ecpects to read sensitive information from a file, then moun the secret as a data volume to the pod. The application can read the secret as an ordinary file to access the sensitive information. Some databases, for example, read credentials from a file to authenticate users.
  • Some applications use environment variables to read configuration and sensitive data. You can link secret variables to pod environment variables in a deployment configuration.

Transport Layer Security (TLS):

Use a TLS certificate and key to secure communication to pod. A TLS secret stores the certificate as tls.crt and the certificate key as tls.key. Developers can mount the secret as a volume and create a pass through route to the application.

Creating a Secret:

Below are different ways to create secrets resource in OpenShift.
If a pod requires access to sensitive information, then create a secret for the information before you deploy the pod. use one of the following commands to create a secret.

  1. Create a generic secret containing key-value pairs from literals values typed on the command line:
$ oc create secret generic secret_name --from-literal key1=secret1 \
--from-literal key2=secret2

2. Create a generic secret using key names specified on the command line and values from files:

$ oc create secret generic ssh-keys --from-file id_rsa=/path-to/id_rsa \

3. Create a TLS secret specifying a certificate and the associated key:

$ oc create secret tls tls-secret --cert /opt/certs/path \
--key /opt/certs/path

Exposing Secrets to Pods:

Inorder to expose a secret to a pod, first create the secret. Assign each piece of sensitive data to a key. After creation, the secret contains key-value pairs. The following command creates a generic secret named demo-secret

$ oc create secret generic test-secret --from-literal user=dba-user
--from-literal db_password=aTx013hK

Using secrets as POD environment Variables:

Let’s consider a 3 tier application that reads database password from the DB_PASSWORD environment variable. Modify the environment variables section of the deployment configuration to use values from the secret

name: test-secret
key: db_password

Above pod configuration details:
- DB_PASSWORD: Environement variable name in the pod that contains the data from secret.
- The secretKeyRef key expects a secret. Use the configMapKeyRef key for configuration maps.
- The name of the secret that contains the desired sensitive information.
- The name of the key that contains the sensitive informatio in the secret.